Website Express Ltd.

Cloud Moodle Learning Management System (LMS)

The most widely distributed open-source platform for learning and development, the Moodle LMS offers secure, customizable and cost-effective eLearning functionality for all sizes of public and private organisations.

As ISO 9001:2015 certified Moodle developers, Website Express' services include managed hosting, systems integration, training and plug-in management.

Features

  • Full hosting of eLearning including a range of assessment tools.
  • Customisable course catalogues, themes and access by audience.
  • Proven security and stability for implementations to millions of users.
  • Supports most learning content including documents, audio, video, SCORM, forums.
  • Wide range of administrative functions including course scheduling and management.
  • Targeted learning enrolment against organisation and management hierarchies.
  • Powerful reporting functionality including manager and customisable dashboards.
  • Works across platforms, browsers, mobile devices and offline delivery.
  • User creation and authentication options including LDAP, AD and Shibboleth.
  • Open source code offers core functionality and bespoke development options.

Benefits

  • Develop, approve and monitor learning plans by individual or role.
  • Define, manage and monitor compliance certification and re-certification paths.
  • Construct learner-centric courses with a variety of resources / activities.
  • Offer content and track engagement for internal and external audiences.
  • Report on progress by individual, role, business unit or organisation.
  • Engage with learning anywhere and on multiple devices.
  • Build in competency based learning and development frameworks.
  • Support team management with scheduled, role based and graphical reporting.
  • Customise themes to your organisation's requirements to support learner engagement.
  • Integrate learning and development with existing systems for seamless experience.

Pricing

£525 to £1800 per unit per month

  • Education pricing available

Service documents

G-Cloud 11

888520725952227

Website Express Ltd.

William Velasco

029 2000 4547

info@website-express.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints If you'd like us to migrate or support an existing Moodle LMS, website or online application that has been built by another provider, we will first need to validate existing GDPR compliance, security, accessibility, usability and compatibility with a site audit.
System requirements None

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time are agreed as part of an SLA.

Typical response times are:
Priority 1 - 1 hour
Priority 2 - 4 hours
Priority 3 - 8 hours
Priority 4 - 16 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AAA
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard WCAG 2.1 AAA
Web chat accessibility testing Our open source web chat technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal project.
Onsite support Yes, at extra cost
Support levels Together with our fully managed hosting platform, we offer two support options. Your Website Express project manager will be your single point of contact for the duration of your support contract.

• Standard Support - Work is billed to the nearest 30 minutes and charged at our standard rates with no surcharges - £600 a day. Support will be provided during office hours, Monday to Friday, 9.00 to 5.30pm. For additional cover, see our 24/7/365 support offering below.
Support time is flexible and can be used for support or ad-hoc development requests.

• 24/7/365 Support - for clients who demand the highest level of service. This is 24 hours a day, seven days a week, 365 days a year and available as an addition to our Standard Support above. This level of support costs an additional £650 a month.

In the unlikely event of your website or application becoming totally unavailable, our support team will be notified and take immediate action 24/7 to identify and resolve the issue regardless of the support level.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide onsite training, user documentation and telephone support for client onboarding.

For complex onboarding, we also offer a paid bespoke service where we will perform the onboarding for you.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction We will provide full access to the CMS or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
End-of-contract process We will provide full access to the CMS or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.

This is all included as standard within the price of the contract. Additional support would be chargeable.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service A fully responsive mobile version is available for administration of the service with no limited features.
Accessibility standards WCAG 2.1 AAA
Accessibility testing Our open source web technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal project.
API Yes
What users can and can't do using the API Moodle has many available open-source, off the shelf configurable APIs.

These include APIs for Access, Data Manipulation, File, Form, Logging, Navigation, Page, Output, String and Upgrade management, as well as many more.

Full details can be found at: https://docs.moodle.org/dev/Core_APIs
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation You can pick and choose from a wide range of contributed modules to add functionality to your site, and from a wide range of contributed themes to change your site's appearance. These add-on modules and themes are also known as 'contrib', because they were contributed by members of our Moodle community, and are available on moodle.org free of charge.

The service provides a selection of development and delivery options, each of which can be tailored to suit the buyer's requirements.

Scaling

Scaling
Independence of resources Each hosting unit is able to auto-scaling up to 128 GB RAM and 24 CPU Real Threads. Fast SSD plus SAS 15K in RAID6 provide high speed and best reliability.

For large applications, any number of hosting units may be purchased to cover usual levels of demand, with automatic scaling of RAM and CPU for short load peaks beyond these limits.

Analytics

Analytics
Service usage metrics Yes
Metrics types We provide you full transparent access to all project data and service reports. These accessible in real time, and automatically sent on at regular intervals (Typically monthly)
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach A number of options are available depending on the nature of the site:

A) User dashboard - self download.
B) Admin user - download and send.
C) Developer - pull from database and send.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • SQL
  • Excel
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks The system is fully secured using HTTPS / TLS 1.3.

Connections made using insecure HTTP will be automatically redirected to HTTPS connections, and no insecure HTTP connections will be possible.

All system-level access to the hosting platform is via secure SSH and SFTP protocols over a private VPN.

Any client access is only accepted via secure SSH, SFTP and FTPS connections.

A strict 90-day password expiration policy is enforced for all accounts.

The system is protected by a firewall, CDN and web application firewall.

Additional access restrictions may be configured at the CDN level.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.98% for Standard Hosting
100% for High Availability Hosting

On a case by case basis, we offer service credits which are discussed as part of the contract process.
Approach to resilience We monitor our Moodle platforms via HTTPS by checking a never cached URI, to confirm that it responds with expected content so that the uptime report gives accurate information on both Nginx server, PHP-FPM backend and Database server availability.

We never pause this monitoring, even during scheduled maintenance, which means that our real average uptime is 99.99% to 100%.

Our managed hosting provider, runs its own fully redundant diverse fibre connection BGP4 network (AS30827) on Juniper MX80 series carrier grade routers with direct connectivity to LINX and Tier-1 networks. Routers check all available networks and choose the quickest path. In the event of one Internet route failing, traffic is rerouted via alternative networks.

Our data centre provider, has both ISO 27001:2013 Information Security and Business Continuity certification and ISO 22301 Business Continuity Management certification.

Local auto-healing is used to monitor and repair possible issues on the server, and this process runs every 5 seconds. If a web or database process becomes unresponsive, then it will be automatically restarted before an issue has time to develop. All issues are logged for further analysis and reporting if needed.
Outage reporting Incidents (high error rates, unusual resource usage, etc) and outages (service failure, web site unavailable, etc) are reported directly to responsible parties via e-mail and/or text messages, as well as being reported to our internal monitoring system where teams can coordinate to resolve issues.

An API and public or private dashboard is also available upon request.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels A current username and password together with optional 2FA are required for access to our hosting systems.

Administrative connections may only be made over secured SSH or TLS channels.

It is impossible to have permanent access to your data (databases) - only temporary connections may be made while a concurrent and authorized SSH connection is open from the same IP address.

Access to filesystems is restricted via temporarily authorized and tracked SSH keys.

A password strength and rotation policy is in place and enforced.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Interxion / The British Standards Institute
ISO/IEC 27001 accreditation date 14/07/2017
What the ISO/IEC 27001 doesn’t cover Website Express does not hold the certification directly, however, our data centre provider has a current INFORMATION SECURITY MANAGEMENT SYSTEM - ISO/IEC 27001:2013 certification that covers the security of the service.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Sage Pay Europe
PCI DSS accreditation date 09/06/2018
What the PCI DSS doesn’t cover Website Express does not hold the certification directly, however, Sage Pay Europe, our preferred online payment partners, have current Payment Card Industry Data Security Standard (PCI DSS) certification.
• PCI DSS
• PCI DSS v3.2
• PCI DSS v3.2 Level 1 Service Provider

We also integrate with other online payment providers, based on client preferences which can provide this certification for e-commerce functionality.

In addition, we can integrate GOV.UK Pay which uses payment processes that are fully Payment Card Industry (PCI) compliant.
Other security certifications Yes
Any other security certifications
  • ISO 9001:2015
  • Investors in People
  • ISO 22301:2012 BUSINESS CONTINUITY MANAGEMENT SYSTEM (Data centre provider)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach As Website Express does not directly host systems, we do not have ISO 27001:2013 certification, however as part of our ISO 9001:2008 certified quality management system, we require this standard for all our managed hosting, data centre and cloud backup providers.

Managed hosting provider, Extraordinary Managed Services, has ISO 27001:2013 Information Security and Business Continuity certification.

Data centre provider, Interxion, has ISO 27001:2013 Information Security and Business Continuity certification and ISO 22301 Business Continuity Management certification.

Cloud-based backup provider, Amazon AWS, has certifications including ISO 9001, 27001, 27017 and 27018 as well as Cyber Essentials Plus and more national frameworks.
Information security policies and processes As part of our annual, audited ISO 9001:2015 quality system, we have defined roles and responsibilities for information security, with overall responsibility being held by a Website Express Ltd. Director.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow a robust change management process which is audited annually under our ISO 9001 certification.

Changes are assessed for their impact and risk, and a process of continual identification, monitoring and review of the levels of IT services specified in the SLA ensure that quality is maintained.

All changes are implemented through a version-controlled configuration management system and progress through a series of automated and manual testing steps before being applied to the 'live' infrastructure.

This systematic and comprehensive approach ensures that changes to services are reviewed, tested, approved and communicated.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We follow the NIST Common Misuse Scoring System (NISTIR 7864). Each potential vulnerability is scored using this system.

The hosting platform (operating system, software, and applications) receives automated security patching for all software directly from the OS maintainers, with security patches applied as soon as they are available and have been tested on pre-production environments.

Alerts and newsletters are available from the maintainers, and technical staff monitor a number of respected advisory services for news.

Our Content Delivery Network provides a Web Application Firewall which is constantly updated to defend against newly released exploits.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Active web server monitoring will block the access first temporarily for one hour and permanently after many temporary blocks for any IP which is a source of DoS-like activity — too many connections in a very short timeframe.

Strict firewall monitoring automatically denies access temporarily for one hour if it detects too many failed login attempts for SSH, SFTP or FTPS, detects a port scan or other exploits.

The Web Application Firewall will similarly deny access to known exploits.

Staff are automatically notified during any potential compromise and will take immediate action at the infrastructure or application layer
Incident management type Supplier-defined controls
Incident management approach Policies exist within our SLAs that describe our response process for common events, with coordination and escalation available for non-standard incidents. Users report incidents through our service desk via ticket, web chat, email or telephone, and are kept updated with the progress and state of the incident throughout the event via the ticketing system. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £525 to £1800 per unit per month
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑