Transact Technology Solutions

Transact Cloud Management Platform (TCMP)

A simplified and streamlined reporting function on multi-cloud platforms , these include FinOps, cost analysis, security and governance, utilisation and detailed analysis of consumption and billing processes across multiple accounts


  • Real-time reporting
  • Spend Analysis
  • Cost Optimisation
  • Inventory reporting
  • Usage reporting
  • Trend Analysis
  • Security
  • Governance


  • No billing overhead
  • Clear and concise billing
  • Breakdown of billing
  • Security environment overview
  • Governance overview
  • FinOps
  • Cloud best practices
  • Mulit-cloud inventory and utilisation overview


£5 to £500000 per instance per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

9 3 5 7 1 2 5 7 8 6 7 8 9 7 5


Transact Technology Solutions

Stuart Whitman

07725 367728

Service scope

Software add-on or extension
What software services is the service an extension to
AWS, Azure
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
No constraints in the listed environments
System requirements
Read access to environment

User support

Email or online ticketing support
Yes, at extra cost
Support response times
SLA dependent.
User can manage status and priority of support tickets
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Transact offer 3 support levels Gold, Silver and Bronze. All costs are dependent on cloud usage. Every customer will get access to a Technical Account Manager.
Support available to third parties

Onboarding and offboarding

Getting started
Transact provide a Demo, Proof of Concept, on-site training and user documentation.
Service documentation
Documentation formats
End-of-contract data extraction
Transact does not collect any customer data. Their billing data will be accessible for 30 days grace after contract end before deletion unless otherwise specified.
End-of-contract process
At the end of the contract the functionality is stopped. There are no additional costs unless the customer want's Terms and Conditions specific to their environment

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
Customers have access to their own portal which gives them a single pane of glass overview of their environment
Accessibility standards
None or don’t know
Description of accessibility
The customers access the portal through a secure web URL. Features and constraints are reviewed on a case by case basis
Accessibility testing
We provide on-going demos of regular updates with a customer user group. We will also work with customers on specific requirements
Customisation available
Description of customisation
The dashboard and access can be customised for individual customers as can the reports produced.


Independence of resources
Back end infrastructure is highly scalable and built to be fault tolerant


Service usage metrics
Metrics types
Utilisation of cloud services.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Other data at rest protection approach
Not applicable as we are only collating their usage data in a view only format
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Not applicable we are only collating their usage data in a view only format
Data export formats
Other data export formats
Data import formats
Other data import formats
Via Application

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
Not applicable as we are only collating their usage data in a view only format
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Offering is high availability over multiple DataCenters
Approach to resilience
Available on request
Outage reporting

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
IAM provides user access control to Transact services, APIs and specific resources. Other controls include time, originating IP address, SSL use, and whether users authenticated via MFA devices.

API calls can be encrypted with TLS/SSL for confidentiality and customers can use TLS/SSL-protected API endpoints.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
EY CertifyPoint
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover
PCI certification
Who accredited the PCI DSS certification
Coalfire Systems Inc
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Other security certifications
Any other security certifications
  • Cyber Essentials Plus
  • Infosec
  • SOC 1/2/3

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Transact implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment.

Employees maintain policies in a centralised and accessible location. Cloud Provider Security Assurance is responsible for familiarizing employees with the security policies.

Transact has established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives.

The output of Transact Leadership reviews include any decisions or actions related to:

• Improvement of the effectiveness of the ISMS.
• Update of the risk assessment and treatment plan.
• Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS.
• Resource needs.
• Improvement in how the effectiveness of controls is measured.

Policies are approved by Transact leadership at least annually or following a significant change to the environment.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes to services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation.

Teams set bespoke change management standards per service, underpinned by standard guidelines.

All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.

Emergency changes follow incident response procedures. Exceptions to change management processes are documented and escalated to Transact management.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Transact performs vulnerability scans on the host operating system, web applications, and databases in the environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.

Customers are responsible for all scanning, penetration testing, file integrity monitoring and intrusion detection for their EC2 and ECS instances/ applications. Scans should include customer IP addresses (not endpoints). endpoint testing is part of compliance vulnerability scans.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Transact perform monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:

• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag incidents, based on Service/Security Team- set thresholds.

Requests to KMS are logged and visible via the account’s Services. Logs provide request information, under which CMK, and identify the resource protected through the CMK use. Log events are visible to customers after turning on services in their account.
Incident management type
Supplier-defined controls
Incident management approach
Transact adopts a three-phased approach to manage incidents:

1. Activation and Notification Phase
2. Recovery Phase
3. Reconstitution Phase

To ensure the effectiveness of the Incident Management plan, conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact.

The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£5 to £500000 per instance per month
Discount for educational organisations
Free trial available
Description of free trial
Proof of Concept - a 1 month free trial for the TCMP

Access to the services such Cost Management, Security & Governance, Compliance.

Service documents

Return to top ↑