PDMS Limited (Professional Data Management Services Limited)

Hosting and Managed Service

PDMS provide a complete and high availability (uptime exceeding 99.9%) end-to-end Hosting and Managed Services provision and have the track record, expertise, infrastructure, systems, accreditations and partnerships to provide the systems we develop on a fully managed-service or software-as-a-service basis. Includes security, business continuity, disaster recovery, backup and patching services.


  • Virtualisation providing high levels of resilience
  • Certified and accredited secure infrastructure and facilities
  • 24/7/365 monitoring
  • Geographically separated hosting facilities
  • Multiple tiers of security between the application and internet
  • Cyber Essentials Certified


  • High levels of availability
  • High levels of security
  • Full redundancy in critical systems infrastructure
  • Fully managed services
  • Rapid deployment


£1000 per unit per month

  • Education pricing available

Service documents


G-Cloud 11

Service ID

8 7 4 2 0 2 5 8 8 5 8 8 7 1 8


PDMS Limited (Professional Data Management Services Limited)

Catriona Watt

+44 (0) 1624 664000


Service scope

Service constraints
PDMS provided software
System requirements
PDMS Software

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 4 working hours of a support call being raised.

09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7, weekends and public holidays can be agreed)
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support availability 09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7 and public holidays can be agreed). A response to a support request can be expected to be received within 4 (four) Working Hours of the support call being raised.
A resolution, or work-around, can, in most cases, be expected to be received within 7.5 (seven and a half) Working Hours of the support call being raised. Further information is available within our Service Definition document.
Support available to third parties

Onboarding and offboarding

Getting started
See service definition document.
Service documentation
End-of-contract data extraction
See service definition document.
End-of-contract process
See service definition document.

Using the service

Web browser interface
Command line interface


Scaling available
Independence of resources
Client level resource segregation.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
Other locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Secure Tier 3 Data centres
Secure containers, racks or cages
Physical access control
Encryption of Physical media
Safe destruction of physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • Virtual Machines
  • Databases
  • Files
  • Logs
  • Customer Specific, requested by agreement
Backup controls
Nightly backups of the data within the Application database will be taken to a local disk on the database server for the purposes of allowing a quick recovery from unexpected issues such as database corruption, or to enable a roll back of recently applied changes or updates etc.
Nightly backups of the data will be taken to a remote disk. This enables quick recovery from database server failure.
Nightly snapshots of the virtual machines will be taken to a remote disk, to enable for quick recovery of the web/application tier if the operating system fails.
Datacentre setup
Multiple datacentres
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Service definition document.
Approach to resilience
No single points of failure within a datacentre and active active set-up across datacentres.

Further information available on request.
Outage reporting
Email alerts.

Identity and authentication

User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Management interfaces are only allowed to internal staff.
Access restriction testing frequency
At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Lloyd's Register Quality Assurance (LRQA)
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All areas of the business and our services are in scope
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
As part of its ISMS, PDMS have the following policies and processes; Information Security Policy, Secure Development Process, Acceptable Use Policy, Change Control Policy, Data Classification and Handling Policy, Data Protection Policy, Business Continuity Policy and an Incident Management Process, all of which are governed, managed and audited through our ISO certifications. All policies are owned and regularly reviewed by the relevant departmental manager.

It is the responsibility of each departmental manager to ensure that all of their staff follow the information security policies and processes, however compliance is audited by the Quality and Standards Manager, with any issues identified reported to the relevant manager, for rectification.

Operationally, Information Security is jointly managed by the Chief Security Officer and the Quality and Standards Manager, both of whom report directly to the Managing Director, who has overall ownership at Board Level for Security, allowing issues that require immediate escalation to be reported to the Directors. Operational Issues that do not require immediate escalation are discussed at the monthly management meetings, where it is a standing issue. All issues discussed during these meetings that require escalation are reported upwards to Board of Directors for it to be discussed, where appropriate.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes made to PDMS systems and core infrastructure are subject to PDMS' change management processes. These are either performed through the code tools, or through services utilised by our internal departments. Where a change is identified, the staff member proposing the change must document the reason for the change, any known implications including security impacts, and any proposed times for the change to occur. All changes are then reviewed prior to implementation by any relevant staff to ensure their awareness of the potential change. The potential change is then approved and the change can be made.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
PDMS subscribe to a number of forums and internet based information sources, that provide information about potential vulnerabilities in the systems and services that we use. Information provided by these is analysed and, where necessary, verified by our Infrastructure Team. Once a manufacturer releases a patch for their services and systems this will be deployed to the live environment within a week. Test environments are patched first to ensure that operational issues are not caused by the patch.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The principle method of identifying potential security issues in our systems and network is through penetration testing, which is undertaken both internally and, where appropriate, through approved third parties.
When a potential compromise in the security of our systems and network is identified a suitably qualified member of staff is tasked with investigating and providing a solution to the issue.
If as a result of the tests it is determined that an actual incident has occurred, our incident management protocols commence immediately upon discovery, to enable rectification as soon as possible.
Incident management type
Supplier-defined controls
Incident management approach
PDMS allow all staff the ability to report security incidents through a number of methods, including email, telephone, and system based forms. Ultimately all reported incidents are managed by the Chief Security Officer, who follows the Incident Management Process, which identifies how the incident should be managed, including when to provide updates to any customers that may be affected. Customer Incident Reports are normally provided in a written document.
All incidents are reviewed following their satisfactory conclusion, to determine what lessons can be learned, and to improve the process or prevent future occurrences.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
Different virtual machines and virtual networks per client.

Energy efficiency

Energy-efficient datacentres


£1000 per unit per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑