Axis12 Limited

Moodle Hosting

Axis12 provide secure tier 3 hosting for Moodle. Backed by our specialist application management and ISO27001 accreditation, we are able to provide expert support and development services for Moodle on the cloud. We also have extensive experience integrating with back office systems.


  • Hosting from a Tier 3 UK based datacentre
  • Best for security, ISO 27001 accredited
  • PCi DSS compliant, bearing the BSI Kitemark
  • Regular, independent testing to ensure security compliance
  • Multiple environments, Dev, Test, Staging, Production
  • Comprehensive monitoring and reporting
  • Intrusion Detection System (IDS) protected
  • Choice of multiple UK datacentres
  • Amazon hosted option available upon request
  • Edge caching and Content Delivery Network (CDN) provided


  • Robust and scalable architecture designed for Open Source
  • Seamless integration to Open Source development workflows
  • Best practices followed
  • Instances available on demand
  • Flexible configuration
  • 24/7 support option available
  • Disaster Recovery and BCP
  • Data centres staffed by security, technical and network staff 24x7x365


£185 per unit per month

  • Education pricing available

Service documents

G-Cloud 10


Axis12 Limited

Luke Harrop

+44 (0)845 519 5465

Service scope

Service scope
Service constraints Hosting is generally delivered on Linux systems
System requirements
  • KVM or Docker based virtual machines
  • Linux based operating system

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Core office (C) hours: 08:30 – 17:30 Monday to Friday on standard UK business days. Non-core hours (NC): All other times Support for Levels 1–5 issues and Support Requests Level 1, within 15mins (C), up to 30min (NC) Level 2, within 2 hours (C & NC) Level 3, within 24 hours (C & NC) Level 4, within 48 hours (C & NC) Level 5, within 48 hours (C & NC) Other Emails received outside of office hours will be collected, however no action can be guaranteed until the next working day. Non-core hours: All other times
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels We provide a range of different support ranging from 24/7 x 365 through to Core hours: Office hours (08:30 – 17:30 Monday to Friday on standard UK business days). Costs vary depending on level of service required and staff type. Every client will have a named account manager experienced in diagnosing and directing requests to the correct resource.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started This first step we take during on-boarding is to create a support project in our back-office support system (Jira). You will need to supply us with a primary contact (through which all change requests will be routed)
plus one or more email addresses for alerts and tickets. Training in how to use Jira for logging tickets will be provided as part of the on-boarding process.
We will confirm your architecture requirements and your servers will then be commissioned and configured.
Provisioning generally takes anywhere from 2-3 hours up to 2-3 days depending on the complexity of your requirements
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction This can be provided by lodging a support request with the team.
End-of-contract process Off-boarding involves removing all accounts associated with back-office systems involved in your deployment and securely deleting all data held in line with our ISO27001 processes. We can provide an archive of all support tickets if requested. Data held on the servers can be packaged and delivered on request although this may incur a small fee. We will also securely delete all tickets in the Jira project we created for you.

Using the service

Using the service
Web browser interface No
What users can and can't do using the API Unless explicitly requested the api is for Axis12 staff only
API automation tools
  • Ansible
  • Puppet
API documentation Yes
API documentation formats
  • HTML
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • MacOS
Using the command line interface Unless specifically asked command line interface is for Axis12 staff only


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources Network separation, pinned resources with hosts, strict allocation of resources on underlying hosts
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Databases
  • Configuration
Backup controls Users can backup at different times and frequency depending on client need
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% uptime as standard. Higher uptime guarantees on request.
Support for Level 1 issues and planned Support Requests (Levels 2-5) where agreed in advance. An out-of-hours telephone number is provided for The Customer to escalate any Level 1 issues. The Supplier will respond to and action any Level 1 issues in accordance with the response targets.
Hosting and infrastructure issues will be actioned within the resolution targets.
Level 1 issues caused by an application or content change made within non-Core hours will be actioned on a best efforts basis. Outages caused by these issues will be exempt from the uptime measurements and Service Level Credit calculations, and the support services may be chargeable.
Approach to resilience Resilience is provided across our Priority 1 systems through load-balanced firewalls and switches,multiple reverse proxy servers with automatic failover capability, multiple high-availability webservers and a scale-out NAS file system.
Outage reporting Our monitoring systems produce email alerts in near real-time.
A ticket is automatically created in our web based ticketing system called Jira. Client is also telephoned immediately. Investigation commences, and any updates to the Jira ticket (at least one every 15 minutes in the case of an outage) triggering update emails to client.

Month end reporting will show full duration and detail of any outages based on monitoring and Jira statistics.

By tracking all support activity through Jira and giving our client full access we provide you with total transparency over the way an issue is being handled and report on our activities against the service level agreement each month.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels Two factor authentication, IP White list, VPN
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 16/09/2013
What the ISO/IEC 27001 doesn’t cover Scope Statement
Axis12 ISMS encompasses all aspects of the organisation’s business and operations in support of discharging their obligations as defined in the Service Agreements with their clients from their London site, with hosting services provided in UK based datacentres and Amazon Cloud Services based in EA. This includes software development, hosting, support and training, the provision of consultancy and all other defined service offerings together with the associated supporting business processes.

Recruitment services are not currently in scope as they are not relevant to our certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have been ISO27001 certified (certification no. 598644) for more than three years and work closely with a CLAS certified consultant who ensures our processes meet the high standards of data security.
We are familiar with HMG Security Policy Framework (Cabinet Office, October 2013; and our experience spans design, development and support of a number of IL2-certified systems, and the implementation and support of IL3 systems.

All of our processes and procedures incorporate Physical, Human and Digital security capability to ensure that client data and systems are continuously secure against threats to Confidentiality, Integrity and Availability.

All of our employees undergo security screening and CRB checks, and are provided with solid training to ensure that the needs of our clients are managed and the aspirations of our workforce remain high.

We can guarantee security by only providing certain levels of access (e.g. server-level access) to suitably qualified and trained Axis12 staff covered by our ISO27001 certificate.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change Control Steps:
1. Documenting the Change Request through Axis12 Change Control system.

2. Formal assessment of change looking at risks, benefits and security impact of making the change evaluated by the Change Approver.

3. The team responsible for the change creates a detailed plan for its design and implementation.

4. The implementation team designs a program for the software change and tests it. If successful a release date is requested.

5. The team implements the program and stakeholders review the change.

6. Final assessment involves requestor and change approver confirming the implementation success/failure and Change Request is closed/reopened.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We are constantly monitoring the various major alert/information channels for threats to our system. Each threat is classified Critical, High, Low with expected implementation times as follow.
- 'Critical’ patches should be deployed within hours
- 'High’ patches should be deployed within 2 weeks of a patch becoming available
- ‘Low’ patches deployed within 8 weeks of a patch becoming available
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We have a range of automated and manual approaches to protective monitoring that are constantly being reviewed as new threats are identified within the industry. We work closely with our hosting partners and other industry experts. The exact process is available on request.
Incident responses are reviewed and classified in our ‘Security Incident (System)’ and assigned to the appropriate Service Level to the incident with the appropriate level of technical resources to resolve the issue.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach 1. Issue identifed
2. Service desk reported by phone or email
3. Tickets created in our ticketing system.
4. For Severity 1 issues, an action plan is formulated as soon as the call is logged and regular conference calls scheduled until the issue is fixed.
5. Diagnosis begins according to our SLA
6. Ticket updated regularly, triggering an automated email to the client.
7. When issue has been resolved, the system is updated as completed and all interested parties automatically alerted via email. This means that tickets can never be closed without the person who logged the ticket being aware.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used KVM hypervisor
How shared infrastructure is kept separate Separate virtual machine, locking down connections by ip whitelist. [more here]

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £185 per unit per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑