VMware UK Limited

VMware Code Stream

VMware Code Stream™ speeds up software delivery and streamlines troubleshooting with release pipelines and analytics.

Features

  • Enables DevOps
  • Governance
  • Simplify core app dev processes
  • Multicloud Support

Benefits

  • Provision software artifacts faster and with more control
  • Facilitates cross team collaboration using consolidated dashboards and reports
  • Tracks artifacts and automates deployment configurations
  • Integrates pipeline automation and governance with existing DevOps tool chain.

Pricing

£145.70 to £271.03 per virtual machine per year

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

8 7 4 5 6 9 6 6 4 2 3 6 0 3 5

Contact

VMware UK Limited

G-Cloud Enquiries

07747 607445

GCloud@vmware.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints VMware Code Stream™ currently works a VMware based private cloud and hybrid clouds such as VMware Cloud ™ on AWS and across native public clouds of AWS, Microsoft Azure and Google Cloud Platform.
System requirements Not Applicable

User support

User support
Email or online ticketing support Email or online ticketing
Support response times VMware Cloud Service Support Policies are published: https://www.vmware.com/support/policies/saas-support.html Critical (SaaS Severity 1) 30 minutes or less: 24x7 Major (SaaS Severity 2) 4 business hours Minor (SaaS Severity 3) 8 business hours Cosmetic (SaaS Severity 4) 12 business hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing VMware Code Stream leverages in-product chat from Intercom.com. Details about chat accessibility can be found here. https://www.intercom.com/help/faqs-and-troubleshooting/the-intercom-messenger/is-the-intercom-messenger-accessible Additional details on development and testing for accessibility of the chat interface can be found here: https://www.intercom.com/blog/messenger-accessibility/
Onsite support Yes, at extra cost
Support levels Please refer to our website for support details: https://www.vmware.com/support/services/saas-production.html
Technical Account Specialists are available at an additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started VMware provides a range of resources to help to start using the VMware Code Stream. These include comprehensive documentation (in multiple formats), introductory videos, hands-on labs, online and in-person training, access to a large ecosystem of partners and support from the customer success team and public sector account team.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Per Section 2.4 at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmw-code-stream-svcedesc-27-aug-2018.pdf
If you or we terminate your account, you will permanently lose access to the data collected by the Service Offering. This data includes any configuration created in the Service Offering for the purpose of providing services to end users. That data will be deleted within 90 days of account termination. The Service Offering is not intended to or configured to accept any Content, including any data restricted or prohibited by the Terms of Service.

The VMware Data Processing Addendum is available by visiting https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/vmware-data-processing-addendum.pdf
End-of-contract process Per Section 2.4 at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmw-code-stream-svcedesc-27-aug-2018.pdf
If you or we terminate your account, you will permanently lose access to the data collected by the Service Offering. This data includes any configuration created in the Service Offering for the purpose of providing services to end users. That data will be deleted within 90 days of account termination. The Service Offering is not intended to or configured to accept any Content, including any data restricted or prohibited by the Terms of Service.

The VMware Data Processing Addendum is available by visiting https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/vmware-data-processing-addendum.pdf

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service VMware Code Stream is accessible via web browser which can be instantiated on mobile devices as well. The user interface is very responsive to any kind of device.
Service interface Yes
Description of service interface VMware Code Stream is an HTML5-based web app that delivers a unified, easy-to-use interface across all supported platforms and devices

The user interface is simple, intuitive and responsive. Interactive dashboards, advanced filters, search options and customizable user preferences provide IT administrators the information they need to make decisions.
Accessibility standards None or don’t know
Description of accessibility VMware is dedicated to support customers to make VMware products and technologies accessible to people with disabilities.

Please visit https://www.vmware.com/uk/help/accessibility.html for an overview of the accessibility testing conducted on the various VMware products and services at this time
Accessibility testing Please visit https://www.vmware.com/uk/help/accessibility.html for an overview of the accessibility testing conducted on the various VMware products and services at this time
API Yes
What users can and can't do using the API One of the great things about VMware’s Cloud services is that all of the authentication to the platform is centralized within the Cloud Services Portal (CSP). One benefit to this is that the API token that you leverage within the platform is a common token across all off the Cloud Services. In order to leverage the API endpoints we highlight below, you’ll need to acquire and use that token.
API documentations:
https://www.mgmt.cloud.vmware.com/pipeline/api/swagger/
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment No
Customisation available No

Scaling

Scaling
Independence of resources - Our solution meets strict requirements for high availability and redundancy through load balancing across multiple, geographically disparate data centers. We eliminate any single point of failure through the use of redundant equipment, network, power and clustering of key components.

Analytics

Analytics
Service usage metrics Yes
Metrics types Pipelines come with out of the box dashboards which track pipeline executions over time. Admins can build a custom dashboard that combines metrics across pipelines in their project
Reporting types Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach - Proper User access controls are in place. Only authorized users get access to the data.
- Intrusion detection system such as Redlock in place to monitor the system
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach YAML files can be used to define pipelines definitions facilitating configuration management, definition repeatability, version control and cross developer collaboration.
Data export formats Other
Other data export formats YAML
Data import formats Other
Other data import formats YAML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability VMware will use commercially reasonable efforts to ensure that each component of the Service Offering ("service component") is “Available” during a given billing month (as defined in the Service Description)

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/vmw-code-stream-svcedesc-27-aug-2018.pdf
Approach to resilience Our solution meets strict requirements for high availability and redundancy through load balancing across multiple, geographically disparate data centers. We eliminate any single point of failure through the use of redundant equipment, network, power and clustering of key components.
- Proper Backup/Restore and DR process are in place.
- Additional information can be provided upon request.
Outage reporting The real-time status of the VMware Code Stream along with past incidents is publicly available on https://status.vmware-services.io/.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces implement role-based access controls and require members to authenticate against the corporate identity provider.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman & Company, LLC
ISO/IEC 27001 accreditation date 06/03/2019
What the ISO/IEC 27001 doesn’t cover Not Applicable
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 13/11/2018
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification No
Other security certifications Yes
Any other security certifications Global DC operations have undergone a SSAE16/SOC2 Type I audit

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes VMware security policies are documented and available to employees on an internal web site. Policies and procedures are reviewed annually, updated as needed and retained for a minimum of six years from the date of creation. VMware utilizes a standard operating procedure repository to store an extensive set of documented procedures. Detailed procedures are defined for the following categories of functions: information security, physical security, network availability, HR, communications, risk/issues and service level customer service. On an annual basis, VMware Code Stream is audited by third-party auditors for ISO 27001, and SOC 2. Policy adherence is included as a part of these third-party audits.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We maintain a documented Configuration Management policy based on industry best practices to harden SaaS environment and Change Control Policy to manage changes to SaaS environment
-- Changes to Configuration Management policy are processed through Change Management policy
-- Change Management includes approval, testing, implementation and rollback
--- Support staff members initiate change through change control form, which Change Advisory Board team reviews for completeness, impact and scheduling. Severity level of change is categorized.
--- Once form is approved, change is scheduled and alert is released to necessary groups; once change is made, it is tested, validated and closed
Vulnerability management type Supplier-defined controls
Vulnerability management approach We receive threat information and explore threat resolutions from the VMware Security Response Center (http://www.vmware.com/security/vsrc.html)
- Regular internal and external vulnerability assessments tests performed against the SaaS environment
- Risk methodology based on NIST standards, including:
-- Identifying and characterizing threats
-- Assessing the vulnerability of critical assets to specific threats
-- Determining risk (i.e., expected likelihood and consequences of attacks)
-- Identifying ways to reduce risks
-- Prioritizing risk reduction measures based on strategy
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our cloud support staff have configured the system to notify IT personnel if the central processing unit (CPU) utilization is too high, disk space limited, memory issues, key service failures, bandwidth utilization, power consumption, or other performance items.
- IT Operations has subscriptions to pertinent vendor security and bug-tracking mailing lists.
- After analyzing the severity and impact, network, utility and security equipment is patched or upgraded
- Tools like wavefront and Lacework are in place that continuously monitors the service KPIs.
Incident management type Supplier-defined controls
Incident management approach We maintain an Incident Management Plan as part of our Information Security Program.

Incidents are reported to and resolved by the appropriate Cloud Operations team and by senior management where needed.
-- Alerts, responses and resolutions are tracked through completion.
-- In the unlikely event of an incident, we will notify customers within two business days of any customer data that is affected.
- Incident logs are reviewed by applicable support personnel for analysis and remediation to avoid further incidents of similar type. All remediation actions are reviewed and approved by our Information Security Governance Committee.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £145.70 to £271.03 per virtual machine per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We encourage the use of our 30 days free trial experience as part of customer acceptance strategy. Trial enables you to review all solution functionality across all clouds

Service documents

Return to top ↑