Altis DXP (Digital Experience Platform)

Altis, a Digital Experience Platform, enables its clients to create and personalise experiences on their digital properties through a suite of developer and business tools. Built on top of a secure and performant technical foundation, Altis leverages Machine Learning and Artificial Intelligence to automate, innovate, and continuously drive business value.


  • Content Management System (CMS) including easy content creation and publishing
  • Expansion: Unlimited sites, Multisite-ready, Multilingual, Code internationalisation
  • User Management: User-permissions, 2FA, Strong passwords, First-party data layer, SSO
  • Marketing: SEO, Personalised content, AMP, FB Articles, Retargeting, Tracking
  • Content Optimisation Tools: Audience creation, Personalised content, A/B testing, Workflows
  • Machine learning and artificial intelligence automations
  • Powerful tools including adanced search tools and smart media management
  • Dashboards for content management, publishing and developer workflows
  • 99.95% Uptime SLA, Global CDN, Performance and Security management
  • Developer Tools: REST API, Local Server, Documentation, Tamperproof audit-logs, CLI


  • Reduced cost for website development
  • Highly available, scalable and performant
  • Thoroughly secure hosting environment
  • Faster time to market for content publishing
  • Optimize, personalise and distribute your content across many markets
  • ML and AI to automate mundane tasks
  • Ever-growing features to let you innovate continuously
  • Account Management and Dashboards to monitor your services
  • Developer tools to let Engineers focus on delivering value
  • No vendor lock-in so that you always have a choice


£3,500 to £35,000 a unit a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 8 6 6 9 9 0 9 9 5 9 0 2 9 4


Telephone: 01629 628082

Service scope

Service constraints
The only constraint is that our infrastructure runs only on Amazon Web Services servers.
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Emergency SLA is 2h. Response times are the same weekdays and weekends if the request is "urgent". If not urgent, the request will be processed on Monday within 24h.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support provided are as follows: - Infrastructure Support handled directly by our Cloud Support Engineers and is included in the cost of the platform. - Developer Support is provided when builds are handled by the client's team or by a third party. It is included in the price of the platform by our Engineers. - Account management is also included as a primary point of contact between the platform and our clients.
Support available to third parties

Onboarding and offboarding

Getting started
We provide developer documentation here: We also help facilitate migration to Altis through an assisted migration as well as include support for infrastructure, development, and local environment setup needs.
Service documentation
Documentation formats
End-of-contract data extraction
We have a data exporter. Clients and Developers can reach out to our support team for database information and uploads.
End-of-contract process
Ending a contract involves notice from the client so that they can be relieved from his commitments at the end of the notice period. There are no costs associated to ending a contract. We facilitate transitions at the end of the contract as much as possible.

Using the service

Web browser interface
Using the web interface
Web interface accessibility standard
None or don’t know
How the web interface is accessible
We have not tested for accessibility yet.
Web interface accessibility testing
We have not tested with assistive technology users yet.
Command line interface


Scaling available
Scaling type
Independence of resources
1- The CDN in front of the infrastructure caches requests at the edge. 2- We autoscale our web servers. 3- We have a shared page cache for the web servers. 4- We have the out-of-the-box ability to scale read-replica without downtime.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Other data at rest protection approach

Public Images bucket: Unencrypted at rest--- Web Server: Encrypted at Rest --- Database: Encrypted at Rest --- Redis: Encrypted at Rest --- ElasticSearch: Unencrypted at Rest
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Database
  • Uploads
Backup controls
Users can choose if they want to backup databases, uploads, or both.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Communication between CDN and Load Balancers are encrypted using TLS: Load Balancer: Web Server uses TLS --- Web Server: Redis Cache uses TLS --- Web Server: ElasticSearch uses TLS --- Web Server: Database is unencrypted in transit --- Web Server: AWS Services uses TLS

Availability and resilience

Guaranteed availability
99.95% monthly uptime. Refunds are available per contract if SLA is not met.
Approach to resilience
Web Servers are replaced automatically when they become unhealthy --- Databases are continually backed up and can be restored to the second over the last 35 days --- Uploaded images have a 99.9999999% of durability --- We leverage AWS CloudFront and Application Load Balancers to handle serving web traffic
Outage reporting
Email alerts

Identity and authentication

User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
We have multiple interfaces that are managed through role-based authorization as well as authentication (strong passwords and two-factor-authentification). Support channels are available through the dashboard for authorized roles. Support is also provided through email when required.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We are currently in the process to complying with CIS.

We anticipate certification under either ISO27001 or ISAE 3402 in 2021.
Information security policies and processes
The Cloud services team supports the Altis infrastructure service

Employee on/offboarding / Acceptable Use Policy.
Access Control Policy.
Disaster Recovery Policy.
Remote Access Policy.
Incident Response (IR) Policy.
Information Security Policy.
Password management Policy; Identification and Authentication.
Backups & Encryption.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Components and their potential security impact are tracked through their lifetime and are iterated on to add further functionalities over time. For all development/staging sites that are not serving production traffic, we can roll out changes without client pre-approval during the maintenance window. We must inform clients once an infrastructure update to a development or staging environment has been made. Infrastructure must always be made to development/staging environments before production environments. For all infrastructure updates to production sites, we must get sign-off before updates are made. This can be done with a pre-established maintenance window, or on an ad-hoc basis.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our comprehensive penetration testing considers several areas: Application penetration testing — Identifies application layer flaws such as Cross Site Request Forgery, Cross Site Scripting, Injection Flaws, Weak Session Management, Insecure Direct Object References and more. Network penetration testing — Focuses on identifying network and system level flaws including Misconfigurations, Product-specific vulnerabilities, Wireless Network Vulnerabilities, Rogue Services, Weak Passwords and Protocols. As we have no on-premise datacenters or physical devices, penetration testing on physical devices is not required. These approaches typically involve several steps: Information Gathering - Threat Modelling - Vulnerability Analysis - Exploitation - Post-Exploitation - Reporting
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The Altis protective monitoring approach includes a tamperproof audit log, hosted off-site that is enabled for all activities and that logs all changes made on the infrastructure, shared resources, and codebase. It guarantees an audit trail you can refer back to when needed.

In addition, we actively monitoring changes, and our cloud team gets alerted when changes follow an unexpected pattern. Alerts feed into our incidents escalation processes.
Incident management type
Supplier-defined controls
Incident management approach
Incidents comprise the following: Performance degradation, Service degradation, Security breach, and exploits of a Production site. An event becomes an ‘incident’ if any one of the following is true: 1/ Issues affecting part of the site (a certain page or set of pages is not accessible). 2/Issue affecting the whole site (performance issues, intermittent Cloud errors). 3/Whole site down or unavailable. Our incident response plan follows the following steps: Detect - Respond - Recover - Learn - Improve The Cloud Team is on-call on a global, follow-the-sun basis 24 hours a day, 7 days a week.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Other virtualisation technology used
How shared infrastructure is kept separate
We run different instances for each client and its own Docker container within it. We also have policy control for each shared resource.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
We adhere to the EU Code of Conduct guidelines through our AWS supplier. Details are here:


£3,500 to £35,000 a unit a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.