S8080 Limited

Open Source CMS - content management system ISO 27001 certified

ISO27001 certified open source, cloud-hosted CMS for websites and digital services. S8080’s GDPR compliant open source CMS platforms securely handle multilingualism, CRM, integrations, single sign-on, forms and workflow. Open-source Drupal and Umbraco content management systems are easy to use, yet powerful. Mobile and accessible CMS, designed around your user’s needs.


  • Open source consultancy, digital services and websites
  • Open source CMS development, deployment and configuration
  • Open source migration and Open source upgrades
  • Open source security hardening and patching
  • Mobile optimised Open source templates
  • Open source solutions using Microsoft’s .NET framework or LAMP stack
  • Open source content versioning, audit and rollback
  • Powerful search options including Apache Solr, Funnelback and Elasticsearch
  • Open source UK cloud hosting, fully managed, public or private
  • Open source multilingual publishing and Welsh Language Standards compliant


  • IA, user centred design, user testing and Alpha rapid prototyping
  • Open source has no vendor tie-in and no licence fees
  • Complex back-office and CRM integrations, with single sign-on
  • ISO 27001 certified and ISO 9001 certified
  • Cyber Essentials and Cyber Essentials Plus certified
  • 24/7/365 support with direct Open source developer access
  • Accessibility testing to WCAG 2.1 AAA
  • Clients include No.10, ministerial departments, emergency services, local authority, education
  • UK based agency, Open-source team and hosting provision. No contractors
  • Anti DDOS measures and PEN testing options


£620 to £770 per person per day

  • Education pricing available

Service documents

G-Cloud 11


S8080 Limited

Christopher Cowell

01792 398 266


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints If you'd like us to migrate or support a CMS, website or online application that has been built by another provider, we will need to check a few things first to validate existing GDPR compliance, security, accessibility and usability.
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support availability is 24/7 - 365 days a year. Support response times within 30 minutes, (but usually immediate).
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing Validation from web chat SaaS provider.
Onsite support Yes, at extra cost
Support levels Together with a fully managed hosting provision, we offer two support options. Your S8080 project manager will be your single point of contact for the duration of your support.

• Standard Support - Work is billed to the nearest 10 minutes and charged at our standard rates with no surcharges. Support will be provided during office hours, Monday to Friday, 8.00 to 5.30pm. For extended cover, see our 24/7/365 support below.
Support time can be used for absolutely anything, it's very flexible.

• 24/7/365 Support - for clients who demand an extended level of service. It’s 24 hours a day, seven days a week, 365 days a year and available as an addition to our Standard Support.

How it works: if your website or service becomes unavailable at 1.30am on Christmas morning, our developers will be alerted and will investigate the issue with the hosting provider's engineers within 10 minutes.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started • Onsite training
• User documentation
• Online video 'reminders' of commonly used functionality
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • Brief video tutorials for common tasks
  • Brief video tutorials for CMS tasks only performed occasionally
End-of-contract data extraction We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
End-of-contract process If we have arranged hosting for you, you can arrange to continue the arrangement with the hosting provider or move to another hosting provider.
We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The layout of content is optimised for mobile delivery.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Tested with Total Validator software.

Also, if it's a requirement, your website / digital service can undergo online or lab-based user testing, and pan-disability user testing.

Each testing team is made up of individuals who have different types of disabilities and all of whom use assistive technology to access computers.

We test to ensure accessibility for those people with:
• Blind
• Low vision
• Colour-blind
• Dyslexia
• Learning disabilities
• Mobility impairments
• Deaf
• Asperger’s
• Epilepsy
• Anxiety/Panic disorder
What users can and can't do using the API Drupal and Umbraco have many available open-source, off the shelf configurable APIs. Full details can be found at: https://www.drupal.org/docs/8/api and https://our.umbraco.org/documentation/reference/
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The CMS's public-facing front end and administration screens can be customised almost without limit.

Depending on your CMS implementation, customisation can be achieved through:
• CMS software settings
• Coding using HTML and CSS (and CMS dependent configurations)
• Modules and Plug-ins

CMS software settings customisation would need to be undertaken by a trained user. Coding and module customisation would need to be undertaken by competent web developer familiar with the CMS platform.


Independence of resources The service is hosted on a fully managed public or private (single tenant) cloud-based virtual machine. You have your own instance of the CMS application and supporting infrastructure. You do not share resources or software with anyone else.


Service usage metrics Yes
Metrics types The full range of insights and analytics that Google Analytics provides in:
• Google Analytics 360 Suite
• Google Analytics
• Google Tag Manager
• Google Optimize
• Google Data Studio

Or we can integrate other analytics packages that your organisation uses.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Depending on the type of data you need from the system, we can automate secure data exporting for you.
We can also provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server) together with full access to the database and files on your server environment.
We can also help with extracting data for you as part of your support package.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.99% availability.

Users are refunded on a pro-rated basis for unavailability of service.
Approach to resilience Depending on your requirements, our service can be deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware) to ensure service continuity should a failure, incident or attack occur.
Outage reporting All outages will be reported via the service status pages on the hosting provider's status dashboard in real-time. Our team receive instant alerts.

Instant alerts are available via Pingdom.

We also offer 24/7/365 monitoring and issue resolution support for clients who demand an extended level of service.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels To access CMS management interfaces, all users are required to have a unique username, password (and memorable information if required).

You may also implement 2-factor authentication and IP restriction.

Support is available to named individuals only who are verified via the support portal login or via telephone or email requests.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS
ISO/IEC 27001 accreditation date 24/04/2019
What the ISO/IEC 27001 doesn’t cover Our whole service provision is covered by ISO/IEC 27001 certification.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 30/03/2012
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover S8080 do not hold the certification directly, however, our hosting partners have a current CSA Security, Trust & Assurance Registry (STAR) certification, up to Level 3, that covers the security of the service.
PCI certification Yes
Who accredited the PCI DSS certification Sage Pay Europe
PCI DSS accreditation date 13/07/2017
What the PCI DSS doesn’t cover S8080 do not hold the certification directly, however, Sage Pay Europe, our preferred online payment partners, have current Payment Card Industry Data Security Standard (PCI DSS) certification.
• PCI DSS v3.2
• PCI DSS v3.2 Level 1 Service Provider

We also integrate with other online payment providers, based on client preferences.
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • Cyber Essentials Plus +
  • ISO 9001:2015

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards S8080 hold the following certifications:

ISO/IEC 27001
Cyber Essentials
Cyber Essentials Plus +
ISO 9001:2015

Our hosting partners comply with Cloud Security Alliance CCM V 3.0
Information security policies and processes Our ISO/IEC 27001:2013 statement of applicability (SOA) outlines 114 Annex A objectives and controls, of which 112 are applicable to our scope:

"The protection of client and company sensitive data, network and IT management, products and services used in the delivery of web-based services including development, consultancy and hosting".

Each applicable control defines an information security policy or procedure that is externally audited every 12 months.

As part of our IMS system, we have defined roles and responsibilities for information security, with overall responsibility being held by an S8080 Director.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach S8080 has documented change management policies and processes, which have been implemented, maintained and externally audited in accordance our ISO/IEC 27001 certification.

Formal configuration management activities, including record management and asset reporting, are logged, monitored and validated, and any discrepancies investigated using our Corrective Action Reporting (C.A.R.) procedures.

A process for formal change requests is managed by our project management team in accordance with our ISO 9001 Quality management system.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach S8080's ISO/IEC 27001 approach is based on Cloud Security Principle 5:

If evidence suggests a vulnerability is being actively exploited, we mitigate immediately.

If not:
• ‘Critical’ patches deployed within hours
• ‘Important’ patches deployed within 2 weeks (if not sooner)
• ‘Other’ patches deployed within 8 weeks (if not sooner)

We use GFI LanGuard and Tenable Nessus Professional to monitor and manage our local network vulnerability and patch management.

Drupal and Umbraco send weekly 'active exploitation' and 'regular' vulnerability notifications for core software and modules/plugins.

We also use automated software to check for module/security patch releases on our deployments.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Following best practice from the National Cyber Security Centre, S8080 protects its platforms with enhanced protective monitoring services (SIEM), at the hypervisor level and below.

This approach to protective monitoring continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems).

It includes checks on time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and the status of backups, among many others.

All alerts are immediately notified to our 24/7/365 developers for prompt investigation.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach S8080 has an externally audited documented incident management policy and process, which have been implemented, maintained and assessed in accordance our ISO27001 information security certification.

This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by S8080 personnel, and incidents identified and reported to by its customers and hosting partners.

All incidents are promptly reported to our 24/7/365 development team, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution, and if appropriate, documented using our Corrective Action Reporting (C.A.R.) procedures.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £620 to £770 per person per day
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑