PDMS Limited (Professional Data Management Services Limited)

Hosting and Managed Service

PDMS provide a complete and high availability (uptime exceeding 99.9%) end-to-end Hosting and Managed Services provision and have the track record, expertise, infrastructure, systems, accreditations and partnerships to provide the systems we develop on a fully managed-service or software-as-a-service basis. Includes security, business continuity, disaster recovery, backup and patching services.


  • Virtualisation providing high levels of resilience
  • Certified and accredited secure infrastructure and facilities
  • 24/7/365 monitoring
  • Geographically separated hosting facilities
  • Multiple tiers of security between the application and internet
  • Cyber Essentials Certified


  • High levels of availability
  • High levels of security
  • Full redundancy in critical systems infrastructure
  • Fully managed services
  • Rapid deployment


£1000 per unit per month

  • Education pricing available

Service documents

G-Cloud 11


PDMS Limited (Professional Data Management Services Limited)

Joanne Pontee

+44 (0) 1624 664000


Service scope

Service scope
Service constraints PDMS provided software
System requirements PDMS Software

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 4 working hours of a support call being raised.

09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7, weekends and public holidays can be agreed)
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support availability 09:00 to 17:30 Monday to Friday, excluding UK public holidays. (24/7 and public holidays can be agreed). A response to a support request can be expected to be received within 4 (four) Working Hours of the support call being raised.
A resolution, or work-around, can, in most cases, be expected to be received within 7.5 (seven and a half) Working Hours of the support call being raised. Further information is available within our Service Definition document.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started See service definition document.
Service documentation No
End-of-contract data extraction See service definition document.
End-of-contract process See service definition document.

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available No
Independence of resources Client level resource segregation.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations Other locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Secure Tier 3 Data centres
Secure containers, racks or cages
Physical access control
Encryption of Physical media
Safe destruction of physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual Machines
  • Databases
  • Files
  • Logs
  • Customer Specific, requested by agreement
Backup controls Nightly backups of the data within the Application database will be taken to a local disk on the database server for the purposes of allowing a quick recovery from unexpected issues such as database corruption, or to enable a roll back of recently applied changes or updates etc.
Nightly backups of the data will be taken to a remote disk. This enables quick recovery from database server failure.
Nightly snapshots of the virtual machines will be taken to a remote disk, to enable for quick recovery of the web/application tier if the operating system fails.
Datacentre setup Multiple datacentres
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service definition document.
Approach to resilience No single points of failure within a datacentre and active active set-up across datacentres.

Further information available on request.
Outage reporting Email alerts.

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces are only allowed to internal staff.
Access restriction testing frequency At least once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through Dedicated device on a segregated network (providers own provision)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance (LRQA)
ISO/IEC 27001 accreditation date 12/02/2018
What the ISO/IEC 27001 doesn’t cover All areas of the business and our services are in scope
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes As part of its ISMS, PDMS have the following policies and processes; Information Security Policy, Secure Development Process, Acceptable Use Policy, Change Control Policy, Data Classification and Handling Policy, Data Protection Policy, Business Continuity Policy and an Incident Management Process, all of which are governed, managed and audited through our ISO certifications. All policies are owned and regularly reviewed by the relevant departmental manager.

It is the responsibility of each departmental manager to ensure that all of their staff follow the information security policies and processes, however compliance is audited by the Quality and Standards Manager, with any issues identified reported to the relevant manager, for rectification.

Operationally, Information Security is jointly managed by the Chief Security Officer and the Quality and Standards Manager, both of whom report directly to the Managing Director, who has overall ownership at Board Level for Security, allowing issues that require immediate escalation to be reported to the Directors. Operational Issues that do not require immediate escalation are discussed at the monthly management meetings, where it is a standing issue. All issues discussed during these meetings that require escalation are reported upwards to Board of Directors for it to be discussed, where appropriate.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes made to PDMS systems and core infrastructure are subject to PDMS' change management processes. These are either performed through the code tools, or through services utilised by our internal departments. Where a change is identified, the staff member proposing the change must document the reason for the change, any known implications including security impacts, and any proposed times for the change to occur. All changes are then reviewed prior to implementation by any relevant staff to ensure their awareness of the potential change. The potential change is then approved and the change can be made.
Vulnerability management type Supplier-defined controls
Vulnerability management approach PDMS subscribe to a number of forums and internet based information sources, that provide information about potential vulnerabilities in the systems and services that we use. Information provided by these is analysed and, where necessary, verified by our Infrastructure Team. Once a manufacturer releases a patch for their services and systems this will be deployed to the live environment within a week. Test environments are patched first to ensure that operational issues are not caused by the patch.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The principle method of identifying potential security issues in our systems and network is through penetration testing, which is undertaken both internally and, where appropriate, through approved third parties.
When a potential compromise in the security of our systems and network is identified a suitably qualified member of staff is tasked with investigating and providing a solution to the issue.
If as a result of the tests it is determined that an actual incident has occurred, our incident management protocols commence immediately upon discovery, to enable rectification as soon as possible.
Incident management type Supplier-defined controls
Incident management approach PDMS allow all staff the ability to report security incidents through a number of methods, including email, telephone, and system based forms. Ultimately all reported incidents are managed by the Chief Security Officer, who follows the Incident Management Process, which identifies how the incident should be managed, including when to provide updates to any customers that may be affected. Customer Incident Reports are normally provided in a written document.
All incidents are reviewed following their satisfactory conclusion, to determine what lessons can be learned, and to improve the process or prevent future occurrences.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Different virtual machines and virtual networks per client.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £1000 per unit per month
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑