Zoocha Limited

Drupal 8 Cloud CMS

Zoocha Drupal Cloud CMS is a secure, compliant Drupal content management system, providing complex Drupal integration, single sign-on, CRM, configuration and workflow management.


  • Drupal best practice implementation
  • Expert Drupal module evaluation based on requirements
  • Remote access to your Drupal Cloud CMS
  • Customisable responsive Drupal template design
  • Drupal Multi-lingual Capability
  • Drupal publishing workflows and content versioning
  • Drupal development using agile methodology


  • Drupal security compliant
  • Fully managed Drupal hosting on AWS
  • Thousands of Drupal Association approved modules
  • UK based expert Drupal Development team


£600 per instance per month

  • Education pricing available

Service documents

G-Cloud 9


Zoocha Limited

William Huggins



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints N/A
System requirements N/A

User support

User support
Email or online ticketing support Email or online ticketing
Support response times General guidance cases < 72 hours; system impaired cases < 12 hours; production system impaired cases < 4 hours; production system down cases < 1 hour; business-critical system down cases < 15 minutes
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Zoocha provide a single tier support service which is contracted as 'support days per month' @ £650 per day. There is no limit to the number of tickets raised, but support time above the contracted amount is charged at £130 per hour. Contracted support time can be increased or decreased (to a minimum of 1 day per month) at any time during the contract, by providing 30 days notice. Technical account management can be provided at an additional cost of £750 per day.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The onboarding process starts with a workshop (kick off meeting) to capture some of the information and key behaviours the project needs people to engage with to be a success. This could include training in our processes and on our project systems like Taiga or Pivotal Tracker. Zoocha also provide agile training (including basic training in our project management systems) during or in addition to the workshop session. Drupal CMS training is provided as a separate service, the details of which can be found in the Service Definition document.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data may be copied out using OS-level tools (such as xopy or rsync).
End-of-contract process Buyer may terminate the contract with Zoocha for any reason by providing Zoocha with notice. Zoocha will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Zoocha services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Fully responsive web inteface
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing None
What users can and can't do using the API All functionality can be exposed via an API.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Content Types; Taxonomies; Role Types; User Permissions; Workflows; Menus/ Navigation


Independence of resources Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Services which provide virtualized operational environments to customers (i.e. EC2) ensure that customers are segregated via security management processes/controls at the network and hypervisor level. AWS continuously monitors service usage to project infrastructure needs to support availability commitments/requirements. AWS maintains a capacity planning model to assess infrastructure usage and demands at least monthly, and usually more frequently. In addition, the AWS capacity planning model supports the planning of future demands to acquire and implement additional resources based upon current resources and forecasted requirements.


Service usage metrics Yes
Metrics types Zoocha provide a monthly service report including uptime metrics, support SLA performance and any other metrics agreed within the scope of the contract.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Zoocha use AWS, which adheres to independently validated privacy, data protection, security protections and control processes. (Listed under “certifications”). AWS is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS enables customers to control their content (where it will be stored, how it will be secured in transit or at rest, how access to their AWS environment will be managed). Wherever appropriate, AWS offers customers options to add additional security layers to data at rest, via scalable and efficient encryption features. AWS offers flexible key management options and dedicated hardware-based cryptographic key storage.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users with administrative access to the Drupal Cloud CMS are able to export data directly from the admin interface.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network Other
Other protection within supplier network Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. AWS gives customers ownership and control over their content by design through simple, but powerful tools that allow customers to determine how their content will be secured in transit. AWS enables customers to open a secure, encrypted channel to AWS services using TLS/SSL, and/or IPsec or TLS VPN (if applicable), or other means of protection the customer wish to use. API calls can be encrypted with TLS/SSL to maintain confidentiality; the AWS Console connection is encrypted with TLS.

Availability and resilience

Availability and resilience
Guaranteed availability Availability SLA is 99.95%. Failure to meet agreed level of availability will result in service credits awarded to to the customer.
Approach to resilience Zoocha cloud infrastructure is build on AWS. The AWS Business Continuity plan details the process, in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that system recovery and reconstitution efforts are performed in a methodical sequence, minimizing system outage time due to errors and omissions. Zoocha have implemented a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and distribution of instances/ data stores within multiple geographic regions across multiple Availability Zones.
Outage reporting Email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels IAM provides user access control to Zoocha services, APIs and specific resources. Other controls include time, originating IP address, SSL use, and whether users authenticated via MFA devices.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Cyber Essentials
  • ISO 27001 accreditation pending June 2017

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes Zoocha implement formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment. Employees maintain policies in a centralised and accessible location. Leadership involvement provides clear direction and visible support for security initiatives. The output of Leadership reviews include any decisions or actions related to: • Improvement of the effectiveness of the ISMS. • Update of the risk assessment and treatment plan. • Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS. • Resource needs. • Improvement in how the effectiveness of controls is measured. Policies are approved by Zoocha leadership at least annually or following a significant change to the infrastructure.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes to Zoocha services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation. Teams set bespoke change management standards per service, underpinned by standard Zoocha guidelines. All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party. Emergency changes follow Zoocha incident response procedures. Exceptions to change management processes are documented and escalated to Zoocha management.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Zoocha perform vulnerability scans on the host operating system, web applications, and databases in the AWS environments. Approved 3rd party suppliers conduct external assessments (minimum frequency: annually). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities. Zoocha monitor newsfeeds/vendor sites for patches. Zoocha are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for customers instances/ applications.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Zoocha use monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor: • Port scanning attacks • Usage (CPU, processes, disk-utilization, swap rates, software-error generated losses) • Application metrics • Unauthorized connection attempts Near real-time alerts flag potential compromise incidents, based on set thresholds.
Incident management type Supplier-defined controls
Incident management approach Zoocha Drupal Cloud CMS incident management process is: Logging (creating a story for the incident in the dashboard and assigning severity level); Validation (review and clarification by the support team); Assignment (assigning story to relevant team member), Analysis (estimate of time required to resolve); Resolution (completion of the story ready for acceptance by the Client); Tracking (assignment of unique reference number and ability for Client to follow each ticket in order to receive notifications of any changes to the ticket); Escalation (recorded method of escalating to Directors); Acceptance (closure of the ticket via ‘one click’ acceptance by the Client).

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £600 per instance per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑