Hosting and Managed Service
PDMS provide a complete and high availability (uptime exceeding 99.9%) end-to-end Hosting and Managed Services provision and have the track record, expertise, infrastructure, systems, accreditations and partnerships to provide the systems we develop on a fully managed-service or software-as-a-service basis. Includes security, business continuity, disaster recovery, backup and patching services.
- Virtualisation providing high levels of resilience
- Certified and accredited secure infrastructure and facilities
- 24/7/365 monitoring
- Geographically separated hosting facilities
- Multiple tiers of security between the application and internet
- Cyber Essentials Certified
- High levels of availability
- High levels of security
- Full redundancy in critical systems infrastructure
- Fully managed services
- Rapid deployment
£1000 per unit per month
- Education pricing available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
PDMS Limited (Professional Data Management Services Limited)
+44 (0) 1624 664000
|Service constraints||PDMS provided software|
|System requirements||PDMS Software|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Within 4 working hours of a support call being raised.
09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7, weekends and public holidays can be agreed)
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 A|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Support availability 09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7 and public holidays can be agreed). A response to a support request can be expected to be received within 4 (four) Working Hours of the support call being raised.
A resolution, or work-around, can, in most cases, be expected to be received within 7.5 (seven and a half) Working Hours of the support call being raised. Further information is available within our Service Definition document.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||See service definition document.|
|End-of-contract data extraction||See service definition document.|
|End-of-contract process||See service definition document.|
Using the service
|Web browser interface||No|
|Command line interface||No|
|Independence of resources||Client level resource segregation.|
|Infrastructure or application metrics||Yes|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||Other locations|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
Secure Tier 3 Data centres
Secure containers, racks or cages
Physical access control
Encryption of Physical media
Safe destruction of physical media
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||
Nightly backups of the data within the Application database will be taken to a local disk on the database server for the purposes of allowing a quick recovery from unexpected issues such as database corruption, or to enable a roll back of recently applied changes or updates etc.
Nightly backups of the data will be taken to a remote disk. This enables quick recovery from database server failure.
Nightly snapshots of the virtual machines will be taken to a remote disk, to enable for quick recovery of the web/application tier if the operating system fails.
|Datacentre setup||Multiple datacentres|
|Scheduling backups||Supplier controls the whole backup schedule|
|Backup recovery||Users contact the support team|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Service definition document.|
|Approach to resilience||
No single points of failure within a datacentre and active active set-up across datacentres.
Further information available on request.
|Outage reporting||Email alerts.|
Identity and authentication
|Access restrictions in management interfaces and support channels||Management interfaces are only allowed to internal staff.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Devices users manage the service through||Dedicated device on a segregated network (providers own provision)|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Lloyd's Register Quality Assurance (LRQA)|
|ISO/IEC 27001 accreditation date||12/02/2018|
|What the ISO/IEC 27001 doesn’t cover||All areas of the business and our services are in scope|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Plus|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Cyber Essentials|
|Information security policies and processes||
As part of its ISMS, PDMS have the following policies and processes; Information Security Policy, Secure Development Process, Acceptable Use Policy, Change Control Policy, Data Classification and Handling Policy, Data Protection Policy, Business Continuity Policy and an Incident Management Process, all of which are governed, managed and audited through our ISO certifications. All policies are owned and regularly reviewed by the relevant departmental manager.
It is the responsibility of each departmental manager to ensure that all of their staff follow the information security policies and processes, however compliance is audited by the Quality and Standards Manager, with any issues identified reported to the relevant manager, for rectification.
Operationally, Information Security is jointly managed by the Chief Security Officer and the Quality and Standards Manager, both of whom report directly to the Managing Director, who has overall ownership at Board Level for Security, allowing issues that require immediate escalation to be reported to the Directors. Operational Issues that do not require immediate escalation are discussed at the monthly management meetings, where it is a standing issue. All issues discussed during these meetings that require escalation are reported upwards to Board of Directors for it to be discussed, where appropriate.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All changes made to PDMS systems and core infrastructure are subject to PDMS' change management processes. These are either performed through the code tools, or through services utilised by our internal departments. Where a change is identified, the staff member proposing the change must document the reason for the change, any known implications including security impacts, and any proposed times for the change to occur. All changes are then reviewed prior to implementation by any relevant staff to ensure their awareness of the potential change. The potential change is then approved and the change can be made.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||PDMS subscribe to a number of forums and internet based information sources, that provide information about potential vulnerabilities in the systems and services that we use. Information provided by these is analysed and, where necessary, verified by our Infrastructure Team. Once a manufacturer releases a patch for their services and systems this will be deployed to the live environment within a week. Test environments are patched first to ensure that operational issues are not caused by the patch.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
The principle method of identifying potential security issues in our systems and network is through penetration testing, which is undertaken both internally and, where appropriate, through approved third parties.
When a potential compromise in the security of our systems and network is identified a suitably qualified member of staff is tasked with investigating and providing a solution to the issue.
If as a result of the tests it is determined that an actual incident has occurred, our incident management protocols commence immediately upon discovery, to enable rectification as soon as possible.
|Incident management type||Supplier-defined controls|
|Incident management approach||
PDMS allow all staff the ability to report security incidents through a number of methods, including email, telephone, and system based forms. Ultimately all reported incidents are managed by the Chief Security Officer, who follows the Incident Management Process, which identifies how the incident should be managed, including when to provide updates to any customers that may be affected. Customer Incident Reports are normally provided in a written document.
All incidents are reviewed following their satisfactory conclusion, to determine what lessons can be learned, and to improve the process or prevent future occurrences.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Supplier|
|Virtualisation technologies used||VMware|
|How shared infrastructure is kept separate||Different virtual machines and virtual networks per client.|
|Price||£1000 per unit per month|
|Discount for educational organisations||Yes|
|Free trial available||No|