Fifosys Limited

Secure Managed Fifosys Private Cloud

Fifosys provide a private cloud platform hosted from two UK third party data centres for organisations that require a custom approach not provided by the public cloud. Our infrastructure has been in place since 2012 providing a dedicated hosted IT infrastructure for clients to access their systems remotely.


  • Real Time reporting
  • Scaleable on demand
  • Remote Access
  • Client isolation
  • Dedicated bandwidth


  • Can scale to meet the needs of the organisation
  • Can be easily accessed on the move
  • Removes the need for large investment in on-premise infrastructure
  • Fully managed and maintained environment


£0.20 per gigabyte per month

  • Education pricing available

Service documents

G-Cloud 10


Fifosys Limited

Mitesh Patel


Service scope

Service scope
Service constraints Service constraints include a planned maintenance window that will be agreed with the client to allow for proactive maintenance.
System requirements Standard connectivity via VPN

User support

User support
Email or online ticketing support Email or online ticketing
Support response times The Fifosys service desk is available 247 365 days of the year. This service provides a fully manned operation with engineers sitting in front of screen, taking calls, responding to emails and monitoring systems. Fifosys respond to incidents much faster than our SLA. We maintain a response and resolution time of 20 minutes for 86% of incidents to our desk. Our SLA is 1 hour for a priority 2 & 3 and 20 minutes for a priority 1. But we average 8 minutes response times to email support requests. These response times do not vary at weekends.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Fifosys provide 1st, 2nd and 3rd line support 24/7/365. Our Network Operations Centre (NOC) proactively monitor, maintain and remediate clients systems. This is all standard service as part of our pricing model. We provide a team which includes an IT Manager who manages the Service team (NOC & Support), an Account Manager who is responsible for day to day management of the account from a sales perspective, and Technical architects who are responsible for discussing and identifying the right technical solutions for our clients.

We encourage clients to make use of tools we provide giving full visibility of what we do, including access to a service portal to view Service Desk activity. Our incident reports and status reports give clients the information needed if anything does not meet expectations we will be open in our resolution. This forms the basis of agreed KPIs to help gain trust and sustain long professional relationships.

This data is a central focus of Service Reviews and is invaluable in identifying training needs, potential problems or areas where systems aren’t delivering what the organisation needs. This detail has been noted in external quality audits and by vendors specialising in managed service applications and CRM systems.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a tailored training program for the cloud service dependant on the requirements. This can include on-site training, workshops or on-line training. This can even be combined if required.

We have a large repository of user documentation that we share on how to use the various elements of the service.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data can either be extracted manually bu the users or Fifosys can be instructed to provide all of this data on removable media. The user must supply or agree to the costs of Fifosys supplying the media.

This data is then removed from our systems and backup.

Any configuration documentation relating to the service and configuration items will be exported from our IT glue system and provided to the client in PDF format
End-of-contract process Extracting the users live data is included in the price of the contract as are all termination fees.

Any media required to export data is not included and this must be purchased by the user or the user must agree to the costs of Fifosys purchasing this on their behalf.

The export of historic backups is not included as this can be a time-consuming process and the cost is dependant on how many generations of data need to be exported.

All licencing within the cloud is also provided on an SPLA basis and therefore remaining the property of Fifosys

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources We allocate sufficient resource and performance across the platform to support all the users and their requirements. We do not allow automatically scaling and any new services are provisioned by our support staff to ensure that there are no unexpected peaks in demand.

Regular capacity planning on the environment takes place to ensure we are prepared for growth.

The environment is also proactively monitored by our 24/7/365 NOC and alerts automatically generate tickets in our CRM system if services go outside their configured thresholds.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics Performance
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Files
  • Virtual and physical servers
  • Network Attached Storage ( NAS)
  • Storage Area Network (SAN)
  • Database Applications
  • Software Applications
Backup controls Users have a high degree of granular options to configure the backup schedule. By default we configure all backups for every hour but there are options for critical systems to backup as frequently as every 5 minutes. As part of the installation process we agree the frequency across each file type, virtual server or critical application to sign off the backup schedule.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users contact the support team to schedule backups
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We provide a 99.9% SLA on the data centre environment.

Users are refunded up to 10% of the monthly cost of hosting if we do not meet the SLA
Approach to resilience Our datacentre environment is highly resilient. All hardware has a minimum of N+1 for redundancy. The entire environment is replicated to a 2nd site to protect against a complete data centre outage and there are multiple connection paths in and out of the data centre.

The cloud environment is also proactively monitored 24/7/365 to ensure that any failures or predicted failures can be dealt with as soon as possible.

Further details of the resiliance are available on request.
Outage reporting Any service outages would be reported via email alerts. Any outages would be classed as a priority 1 - High impact incident and follow our high impact incident process.

Users would be continuously updated on progress of the issue until resolved.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Only authorised individuals from our organisation can manage the system and strong authentication is in place. The management layer is segregated from the service networks to prevent any issues affecting service.

All access to the systems are through N-able and an audit trail is in place.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
Devices users manage the service through Dedicated device on a segregated network (providers own provision)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 11/09/2017
What the ISO/IEC 27001 doesn’t cover Dont Know
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Information data security is an essential part of the Fifosys business. The directors recognise the need for its clients and end users information data to remain secure and confidential at all times. Clients and Fifosys internal departments collaborate to ensure that data stays secure.
Information data security systems are reviewed at regular intervals and outcomes are made available to other relevant organisations. Current policies exist for the following which are audited each year as part of our ISO 27001 accreditation:
Information Security Organisation
Classifying Information and Data
Controlling Access to Information and Systems
Processing Information and Document
Purchasing and Maintaining Commercial Software
Securing Hardware, Peripherals and Other Equipment
Fifosys Personnel
Detecting and Responding to Incidents
Business Continuity

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow the ITIL framework for change and configuration management.

All changes are logged in our ERP system - Connectwise and changes must include a reason, the technical steps, the risk assessment, the service impact, a rollback plan, a test plan and a schedule of communications. All changes, once submitted are reviewed by the change management board.

All configuration are also tracked in Connectwise with installation date, service/warranty expiry, any 3rd party details and any associated configuration. Automatic updates of configuration items is also performed from our RMM tool, (N-Able) to Connectwise.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We are continually assessing threats to our service. We use automated cyber security tools such as cyberscore from XQ cyber ( A Check service provider) to continuously poll our environment for new threats and suggest remediation plans.

We patch our and our clients servers every week using our automated patch management service.

We also deploy next generation firewall products with anti malware protection, constantly upgraded from Cisco and we employ automated Ransomware protection across all our servers.

We get our sources of threats from our multiple partners including, Microsoft, Cisco, VMware, XQ Cyber and N-able
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use our proactive monitoring tool (Nable), to identify threats. This monitors all aspects of the environment from servers to networking to anti-virus.

Data is also proactively monitored for RansomWare attacks through our backup solution.

When a threat or compromise is detected a ticket is automatically logged in our ERP system (Connectwise) and handled as a priority 1 ticket.

We respond to these incidents within 15 minutes
Incident management type Supplier-defined controls
Incident management approach Our incident management process is based on the ITIL framework for service management. Incidents are categorised into service issues where IT has failed and support issues where IT hasn't failed i.e. a new user request.

We have pre-defined processes for common events such as new users, subject access requests, permission changes, mobile device setup, upgrade and client specific common tasks.

Users can report incidents via phone, email or online portal.

Incident reports are provided to pre determined stakeholders in PDF format for high impact incidents and users can check directly in the online portal for normal or low impact incidents.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Organisations are provided with their own dedicated virtual machines. Although multiple organisations may have virtual machines on the same physical server hardware, they are segregated at a network level via VLAN.

A VLAN is created for each client and each VLAN is explicitly denied communications with another VLAN at both the switch and firewall level.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £0.20 per gigabyte per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑