Headless CMS
Netcel’s experienced team provide consultancy around selecting and implementing Headless CMS solutions to support you in delivering multichannel breakthrough user experiences and to help future-proof your digital estate.
Features
- Elastic scaling to support traffic peaks and bursts
- Based on the latest Microsoft cloud technology, Azure Web Apps
- Optimal performance via a content delivery network (CDN)
- Separated environments for integration/test, preproduction and production
- Best-of-breed services from vendors via connectors and add-ons
- 24x7x365 global operations, maintenance and support
- Detailed online reports show you website and transaction performance
- Proactive application and end-user experience monitoring
- Data backup and retention
- DDOS mitigation
Benefits
- 20 years+ knowledge with highly experienced team
- SLA guarantee on your web site being up and running
- Lower TCO with a fully managed service
- Strategic approach and holistic view ensures flexibility and scalability
Pricing
£693 to £1,232 a person a day
- Education pricing available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at sam.barrow@netcel.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 11
Service ID
9 1 5 5 3 0 8 8 4 8 3 8 4 1 8
Contact
Netcel
Sam Barrow
Telephone: 020 3743 0100
Email: sam.barrow@netcel.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- None
- System requirements
-
- Software licence for relevant CMS platform
- Multi deployment environments - Deployment, test, staging and production
- SSL certificate
- Content delivery network - CDN
- Web application firewall
- Anti-virus software
- High availability infrastructure
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- We offer four priority support levels (P1, P2, P3 & P4). Priority One is assigned to system down or significant-loss-of-business events, with a response time of up to 1 hour and 4-hour fix time. Priority Two issues carry a response time of up to 4 hours and a fix target of 2 business days. Under the standard support agreement, Netcel’s support desk is manned 8am-6pm UK time, Monday-Friday, excluding public holidays. We can potentially offer a 24/7 support service.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Within our two main services – Priority Support & Continuous Improvement – we have 5 different support levels. Priority Support covers Priority One and Two defects defined as; Priority One - Response is up to 1 hour (catastrophic & functional critical); Priority Two - Response is up to 4 hours (functional critical). Priority One or Two levels are dealt with as a matter of urgency based on the SLA response and fix times. Typically, these are deployed as hot fixes due to the nature of the issues, hence the name ‘Priority Support’. Defects that fall outside of Priority Support definitions are delivered via the Continuous Improvement programme, i.e. Priority Three, Four and Maintenance issues. Where there isn’t an immediate need to resolve the issue, greater efficiencies can be leveraged by combining tickets into regular deployment windows (typically monthly) in a Continuous Improvement programme. This is a managed process with the involvement of a BA / PM to identify and review the requirements for the next release. A member of the support triage team is responsible for resolution of each support ticket.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
All users are provided with a range of resources required to ensure they get the most out of the service. This includes:
- Trainings Needs Analysis
- Vendor training
- Train the trainer
- Exercise books
- Bespoke user manual
- Training Videos
- Facilitation days and workshops - Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- Any solution data held within the hosting service will be made (securely) available at the end of the contract. If transferring to another similar solution configuration the data can be provided in the standard Episerver format of SQL database backups. If transferring to a different solution and the standard SQL database backups will not suffice, any solution data can be extracted and provided in common formats such as CSV or XML as required.
- End-of-contract process
-
The Contract will be effective from the date of the agreement and continues to be in force for a period of twelve months after which the Contract may be terminated by either party at any time by providing one month’s prior written notice.
The supply of Goods and Services and Price are subject to the terms and conditions set out in the Contract Agreement.
A full set of Schedules and Appendices to the Contract Agreement with any documents referred to in them, form an integral part of the Contract and any reference to the Contract means this agreement in writing as may subsequently be agreed between the parties.
The Price detailed in the Contract are exclusive of VAT, which shall be charged to and be payable by the Client pursuant to the relevant invoice for the same.
Any Goods or Services not expressly provided for in the Contract, yet agreed to by the Parties will be documented and be delivered by Netcel hereunder, will be chargeable on a time and materials basis in accordance with the Billing Rates.
Using the service
- Web browser interface
- No
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- None
- Service interface
- No
- API
- Yes
- What users can and can't do using the API
-
The Service API is a service layer available for system integrators to update and retrieve information from their CMS, ensuring a seamless integration with external systems such as PIM, DAM and ERP.
The Service API provides a programming interface for performing operations like:
- Import and export of data files;
- Import and export forms data;
- Bulk import and export of media and catalog data in Commerce;
- Bulk asset linking between media and catalog content in Commerce;
- 'RESTful' CRUD operations for managing individual catalogs, nodes, entries, and warehouses in Commerce; - API documentation
- Yes
- API documentation formats
-
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
All the CMSs we develop are extremely customisable, from both a frontend and backend perspective. They can be customised by editors, developers and system architects. The various customised elements include:
- Develop custom properties and introduce editor functionality
- Develop custom on page editing
- Quick navigation menu
- Global menu selection
- Add image and logo on the log in page
- Manually render a page or block using .NET
- Create content icons
- Render custom HTML for CMS properties
- Custom icons for specific page types
- Content approval system
- A/B Testing
- Personalisation
Scaling
- Independence of resources
-
Through differing levels of performance, load and stress testing we ensure that the service itself is resilient to high loads. Both the applications we architect and deliver and the infrastructure upon which they reside are built appropriately for the anticipated load and, within reason, and more. Our services are designed to scale appropriately.
The net output of the architecture, implementation and infrastructure we deliver is a service where high traffic will not affect other users of the service.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Configuration, management and reporting via Google Analytics or in-application dashboards. Gives instant access to analytics and trends within your working website context, allowing you to take immediate actions to improve conversions and optimise traffic.
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Reseller providing extra features and support
- Organisation whose services are being resold
- Episerver, Sitecore and Kentico
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- EU-US Privacy Shield agreement locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Physical access control, complying with another standard
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- Clients can export data from their CMS solution directly to ODF, CSV, Excel or alternatively directly to a similar CMS. This is particularly helpful when working across several environments that sit across the same infrastructure. This function is widely used by developers building new functionality in a test or development environment. When work is completed, and the information is ready for the production environment, you can simply use the export features to transfer the data between websites.
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
- Excel
- Data import formats
-
- CSV
- ODF
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
For a period of 12 months from acceptance, the service will be free of viruses, trojan horses, logic bombs and other deleterious materials except where any such materials have been introduced to the service by the Client or any third party appointed by the Client; and
It shall use all reasonable skill and care in the provision of the Project to the Client, using at all times appropriately qualified and skilled personnel in the delivery thereof; and will not infringe the intellectual Property Rights of any third party. - Approach to resilience
-
All infrastructure provided to our clients has the option for complete resilience either within a single datacentre, across multiple datacentres in a single region (such as the UK) or across multiple datacentres geographically.
This configuration allows for the worst case loss of an entire physical datacentre with services remaining fully operational.
Methods such as load balancing, mirroring and the more traditional failover are utilised to provide such resilience. - Outage reporting
-
Outages can be reported via different channels subject to the specific requirements either in real-time or delayed until the next working business day.
Our services can provide access for service outages to a private, client specific, dashboard. Email alerts can also be provided alongside a more personal phone call should a service outage occur.
We are also able to hook in to different channels such as API alerts should these be required.
Outages for maintenance include: Emergency maintenance - we aim to notify you of this outage as soon as practicably possible. Planned maintenance - we shall use reasonable endeavors to provide you with a minimum of seven days’ notice and shall in any event give you as much notice as practicably possible. Scheduled maintenance - our standard scheduled maintenance window is every day between 12am-3am UK time. In this case, we shall, where practical, provide notice of such. All clients will be notified via email, phone and dashboard as appropriate.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
-
At a minimum, access to management interfaces are restricted with a username/password and SSL encryption.
Where permitted by the infrastructure configuration, management interfaces are entirely removed from public access and accessible only via a secure channel.
Multi-factor authentication or integration with a client (service) specific authentication source is feasible. - Access restriction testing frequency
- At least every 6 months
- Management access authentication
- Other
- Description of management access authentication
- Entirely dependent on client solution.
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- Monitoring is deployed within our network to audit access to data both as the individual and the device. Our network contains both application security and threat analytics via industry standard monitoring solutions helping to enforce our policies.
- Information security policies and processes
-
Netcel follow a standard information security policy in context of modern cyber security classified as "a formal set of rules by which those people who are given access to company technology and information assets must abide."
Our policy covers hardware, software, communications and data throughout. Information is classified in to categories based on the confidentiality of the data.
Monitoring is deployed within our network to audit access to data both as the individual and the device. Our network contains both application security and threat analytics via industry standard monitoring solutions helping to enforce our policies.
Violation, either automatically detected or manually detected, must be reported to the IT department immediately from where the issue will be escalated accordingly.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
Netcel hold a change log for aspects of the solution that are infrastructure related. Only Microsoft approved patches are deployed. Third party drivers or such are not permitted.
Any security vulnerabilities identified by third parties are addressed in accordance with the industry standard recommendations as a priority.
Where possible, environment configurations are fully automated and controlled with all configuration and change operated through auditable source control. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
In accordance with our cyber security policy, access to our networks is monitored through automated solutions to detect, as close to the perimeter as possible, any initial threat.
Infrastructure, both internal and that which we provide as part of a service, is patched at least on a monthly cycle in accordance with Microsoft best practice recommendations.
Information regarding potential threats is obtained from our automated solutions and specialist security partners. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
In accordance with our cyber security policy, access to our networks is monitored through automated solutions to detect, as close to the perimeter as possible, any initial threat.
If a potential compromise is detected this is addressed through the security software that we have deployed either blocking the compromise automatically or manually.
Where a potential compromise is being attempted automated escalation of security risks are undertaken and approaches such as multi-factor authentication are instigated to protect the network and data within.
Responses to incidents are on a priority basis and attended to immediately where feasible. - Incident management type
- Supplier-defined controls
- Incident management approach
-
Users are, subject to the specific incident type, generally required to escalate incidents to the IT department upon discovery from where the incident will be triaged and further escalated accordingly.
Netcel have in place standard processes for dealing with any incident occurrences. Initial incident reports are provided within the next working business day and further developed if required.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £693 to £1,232 a person a day
- Discount for educational organisations
- Yes
- Free trial available
- No
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at sam.barrow@netcel.com.
Tell them what format you need. It will help if you say what assistive technology you use.