Isotoma Ltd

TrustServe: Wagtail web site for NHS Trusts

Your site. Your way. Your peace of mind. With TrustServe you get a secure, end-to-end website solution that’s tailored to your trust’s needs. TrustServe uses Wagtail; the platform delivering the new We work with you to ensure smooth, customised delivery over six stages: analysis; planning; design; build; launch; support


  • End-to-end solution for procuring and developing a new website
  • Uses Wagtail, the CMS behind the new
  • Customisation for your trust included in the cost
  • Extensive user research and testing already carried out
  • Penetration tested
  • Accessibility audited
  • Load tested
  • GDPR compliant
  • Hosted at AWS. Secure, resilient and auto-scaling by default


  • Clearly defined process makes timelines and costs transparent
  • Meet the content needs of your communications team
  • Already audited to meet NHS Digital and GDS guidelines
  • Public cloud hosting
  • Easy to use admin interface
  • Meets all standards according to current IT best practice
  • Extensible; as your needs change, so can the site
  • Integrates seamlessly with other software
  • Fixed price and fixed timeline
  • Free trial available


£40,000 an instance

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 8 4 1 4 4 7 8 9 5 3 1 4 8 1


Isotoma Ltd Andy Theyers
Telephone: 01904313980

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
There are no constraints to this service
System requirements
No minimum system requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA dependent
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Service monitored 24x7. Telephone and email support available UK office hours only. 99.9885% availability. Critical incidents responded to 24x7. Non-critical incidents responded to within 4 working hours. Technical account manager included as part of the service. Cloud support engineer included at take on and contract end. Cloud support engineer available on request (at standard hourly rate) throughout contract.
Support available to third parties

Onboarding and offboarding

Getting started
We will work with take you through 6 phases: Analysis; Planning; Design; Build; Launch; Support. Each of these phases is well defined and includes on site visits from our staff. We will engage directly with your internal and external stakeholders to ensure a smooth to the service. On site training is included in the service cost.
Service documentation
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction
All volatile data is made available in a dedicated S3 bucket that the user has access to at all times. This includes database dumps and all media assets.
End-of-contract process
Users are encouraged to renew, however if they wish to migrate to an alternative provider all assets required for the new provider to take on the service are automatically available to the user. 4 hours of consultancy is included - any additional consultancy is charged at our standard hourly rate.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There is no difference in functionality between mobile and desktop. Presentation on mobile devices is optimised for smaller screens and touch.
Service interface
What users can and can't do using the API
API features are available on request. Most facilities the CMS offers can be accessed via the API.
API documentation
API documentation formats
  • ODF
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The user interface for public users can be customised using HTML, CSS and JavaScript. Customisation by our team is included in the service charge.


Independence of resources
Each user is partitioned from all other users, and each user is placed in their own AWS AutoScaling Group (ASG)


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
All volatile data is made available in an S3 bucket for users to download whenever they require.
Data export formats
Other data export formats
  • Django JSON fixtures
  • Direct SQL dump
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We guarantee our infrastructure to be available 99.9885% of the time, calculated annually. This equates to 1 hour of unplanned downtime per year. Service is credited at 2% of the annual fee per complete hour outside this target.
Approach to resilience
Our infrastructure is 100% resilient, with every single component in more than one AWS Availability Zone. The exact configuration is available on request.
Outage reporting
Users will receive email notifications should their service fail, and then regular emails until the service is restored.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Our service implements role based access control. Users and roles are defined by customers as part of service take on
Access restriction testing frequency
At least every 6 months
Management access authentication
Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO27001 covers our entire business
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a Information Security Policy which is available on request. We have rigorous induction and training methods which ensure policies are followed. Reporting Structure is also available on request.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our configuration and change management processes, including component life cycle tracking and security impact assessments, are aligned with the ITIL v3 Framework Guidelines.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We monitor for potential threats through multiple sources, including external repositories and vendor feeds. Each patch and hotfix is assessed by severity, client requirements and/or vendor recommendations.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We rely on AWS GuardDuty for intrusion detection and regular automated vulnerability scanning for potential threats. Every incident is responded to within 4 hours, regardless of time of day or night.
Incident management type
Supplier-defined controls
Incident management approach
Users can report incidents via telephone, web and email. We have predefined processes for common events and leverage the guidelines defined by the ITIL v3 Framework. Incident reports are delivered as ODF documents as agreed with the user on a case by case basis, depending on severity and user requirements.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£40,000 an instance
Discount for educational organisations
Free trial available
Description of free trial
All potential users may request a free trial of the service. This is initially available for 7 days, but may be extended on request.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.