Hosting, Development and Security

The information below specifies the Project Services for our Hosting, Development and Security Support services. This information is incorporated into each agreement for the provision of those services, together with the relevant Statement of Work and any Service-Specific Conditions attached to the Statement of Work, and our General Conditions of Service, available on our website at www.thinkaps.com.

1. Hosting

Our website hosting service supports our Virtual Event Products and websites based on our core codebase or bespoke websites built on Drupal CMS.

Website hosting is charged per calendar month.

Website hosting starts at £250 per month.

Our website hosting supports events with up to 500 concurrent attendees on an independent virtual server but can be upgraded to support much larger audiences.

• Hosting upgrades for larger audiences are charged at a rate of £100 per 500 additional attendees, per event.

The Project Charges for website hosting arespecified in the relevant Statement of Work. We use AWS (Amazon Web Services) for the provision of hosting services. Wewill use reasonable endeavours to resolve anyissues in respect of server downtime due to hardware failure withAWS as part of our SLA (Service level agreement) with AWS, but we do not warrant that: 
‍

• access to thehosted Virtual Event Products or website will be uninterrupted or error-free;or 
  
  
• the hostedVirtual Event Products or website will be free from vulnerabilities that whenexploited, may result in a negative impact to confidentiality, integrity, oravailability.
  ‍

Website hosting on our Managed Servers comprises the following services, as more fully specified in the Statement of Work:
‍

• Maintenance of core server software (operating system and supported components)
• Back-up provisioning, testing and disaster recovery
• Service monitoring
• Maintenance of services related to the running of the server (e.g. security groups, VLANs, etc.)
• Infrastructure in code (where applicable)
• Orchestration tools

Our default server location is Dublin.

2. Development

Development Framework

Our Virtual Event Products (excluding aps Collaborate) are based on the aps-developed core codebase built using Drupal 9 architecture (https://www.drupal.org/).

Drupal provides an expansive feature-set and robust, advanced security as documented here: https://www.drupal.org/features/security

Drupal sites have a set of core modules that perform the baseline functionality. Additional, contributed, or custom-created modules are added to sites and configured to add specific functionality.  We develop specific Virtual Event Products for the client with the aim of providing the functionality specified in the Statement of Work.

aps Collaborate

aps Collaborate events are based on up to 300 attendees (Standard Zoom Meeting) but an upgrade package can increase attendees to 1,000 (price on application).  The specification for the individual platform, and the Project Charges for aps Collaborate are specified in the relevant Statement of Work. 

Standard aps Collaborate events include 2 months of hosting. Any event kept online longer than this at the client’s request is charged at £250 per month.

The aps Collaborate platform is built using Laravel on the PHP web framework. The platform is kept up to date via quarterly updates or immediately if a major patch or update is required, and therefore no Security Support Package is required for individual events.

Browser Compatibility

aps has gained valuable insight about users’ browsers through data collected whilst hosting a significant number of real-world virtual events. This has revealed very low use of legacy browsers.

Our development practices aim to deliver a secure experience through modern web browsers that are compatible with HTML5, the latest web language. Using dated and legacy browsers can have unpredictable results and our technologies are developed for modern browser compatibility as standard.

Additionally, we complete scripted testing and rectify issues found before website delivery and client UAT (User Acceptance Testing) on the following browsers:

• Google Chrome latest version on Windows OS
• Safari latest version on iOS

Where possible, we will fix issues found on other (modern) browsers that are identified during client UAT.

Other browser compatibilities may be included in the Statement of Work and will be estimated to the client and these additional browsers will be included in the testing scripts before release.

Note that older browsers, may not be possible to support. Their use today is limited, and users will be required to update their browsers to access websites using modern web technologies.

Warranty

aps aims to provide websites that are as fully functioning (in accordance with the agreed specification) and error-free at launch. Complexities in the world wide web mean that despite the efforts of both the aps team and the client during User Acceptance Testing to identify issues, issues may only be encountered during use.

If an issue is reported by the client within 30 days from launch, aps will seek to rectify such issue (including, where applicable through working with third parties relevant to the provision of the services) without client cost. Note this includes issues such as specified browser compatibility or issues affecting functionality agreed within the original Scope of Work but would not, for example, include the development of features or functionality that were never built, or part of the specification proposed by aps.

Site Content

The client shall ensure that any materials uploaded to a hosted site do not infringe any applicable laws, regulations or third-party rights (such as but not limited to material which is obscene, indecent, pornographic, seditious, offensive, defamatory, threatening, liable to incite racial hatred [or acts of terrorism], menacing, blasphemous or in breach of any third party Intellectual Property Rights) (Inappropriate Content). 

The client acknowledges that aps has no control over any content placed on a hosted site by visitors and that aps does not monitor the content of such sites. aps reserves the right to remove content from a site where it reasonably suspects such content is Inappropriate Content.

Core Virtual Event Website Lifespan

Our Virtual Event websites built from our core codebase on Drupal 9 is currently expected to be supported until November 2023 (https://www.drupal.org/docs/understanding-drupal/drupal-9-release-date-and-what-it-means/how-long-will-drupal-9-be-supported).

Any live core Virtual Event websites will be supported until Drupal 9 is deprecated, provided that the client has entered into an agreement with us in respect of a Security Support Package for such website(see below for further information in respect of our Security Support services).

Drupal 10

By the time Drupal 9 is deprecated (currently expected after November 2023) live sites built in Drupal 9 will need a major version update to Drupal 10 to ensure the site can be continually maintained.

Carrying out this update is not included in our Security Support Package. An estimate to perform this major version update can be provided following a site audit to establish the work required.

Sometimes, contributed modules are not available for new major releases in time and site modifications, alternative modules, or custom modules may need to be created to perform the equivalent functionality.  An estimate for the costs of carrying out any additional development work required in such circumstances can be provided on request.

Drupal10 was launched in December 2022. aps assess the changes and audit which contributed modules will be updated for the next major version. aps will develop new websites using Drupal 10 once satisfied about the compatibility and stability of the new release during 2023 and upgrade our core codebase to Drupal 10, subject to security and module audits.

Existing Drupal 7 and 8 sites

aps no longer support Drupal 7 or Drupal 8 websites and existing sites built using Drupal 7 or Drupal 8 will need to be updated to Drupal 9 before re-use or additional development. An estimate of the work required to update a site to Drupal 9 will be provided following a site audit, which will include a Security Support Package.

3rd Party Solutions

Our platform and solutions may require integration with other 3^rd party services and information about these can be provided on request for any project. The client’s use of the platform and solutions is subject to the licence terms on which any relevant 3^rd party services are provided by the relevant third party.

Other Development Technology

Drupal is aps’s primary development framework; however, we may choose other technologies if appropriate for a particular project. Information relevant to this can be provided on request.

3. Security and Support

Core Security

aps’ core codebase, built using Drupal 9, is maintained on an ongoing basis and websites built from this codebase are delivered with the latest practical security updates at launch. 

Until Drupal 9 is deprecated (see above), aps offers a Drupal 9 SSP (Security Support Package). These support packages will provide options for monthly or quarterly updates, according to agreed schedules, and at timings that consider event broadcasts. 

‍We offer support options and highly recommend that our client’s take our Security Support Package to ensure that websites are maintained on an ongoing basis, to mitigate against identified security vulnerabilities. Choosing not to maintain a website leaves it increasingly at risk of being subject to cyber-attack. 

The update interval is offered at two frequencies to meet the requirements of most security policies. Other maintenance services and timing intervals may be provided as required. The update interval will be as specified in the Statement of Work, or otherwise agree in writing between the parties. 

The responsibility of aps in respect of the provision of Security Support Services is limited to implementing the measures and undertaking the activities specified in this document and in the relevant Statement of Work, and aps does not guarantee that the provision of such services will achieve the desired outcome of maintaining the security of the supported site. 

Clients are responsible for ensuring that the Security Support Services provided by aps are adequate for their needs. Clients may approach risk in line with their corporate policy, considering the type of website and data held and balancing these against the cost of Security Support Packages. aps recommends a comprehensive security maintenance programme but offer different levels of service to clients so they can balance their needs against their own assessment of risk.  

We run vulnerability scans every month across our hosted sites. Scans will highlight security issues that require attention categorised as critical, high, medium, and low priority. At times critical vulnerabilities may be reported to the client of the relevant site if assessed to be of significant concern with a cost estimate to address any issue (or, for those on a Premium (monthly) Security Support Package, addressed within the scope of this agreement). 

Vulnerabilities of any severity (low to critical) will be reported every quarter and detailed in a report for each site. A client without a Security Support Package will be presented with the quarterly report which details module and code updates required. 

Reports are provided free of charge and will include an estimate for the time required to install any required updates, at client cost. 

A client may decide to monitor and action on demand or decide that the standard package is suitable for a website that has served an event and is only used longer term with limited functionality or with fewer visitors, for example. The standard package includes less time allocated to testing and focuses on checking basic functions work after updates. Updates occasionally affect functionality so a website should be tested after security updates to identify issues. 

Our premium package includes more time for testing against the original functional specification of the website when launched and includes development time for fixing issues found. A client may choose this more comprehensive service to further mitigate against issues and avoid the need for delays to authorise identified remedial works.

We outline below the different categories of Security Support Packagewhich we make available – fuller details may be provided in the relevantStatement of Work where applicable.

Security Support Package options:

Standard package - includes security updates with up to 5 hours to check the front end and basic functionality. Any issues found during this or subsequent client testing will be estimated for repair at client cost.  

‍Initial Setup: £685
Then £845 for monthly updates or £1,495 for quarterly updates. 

‍Premium package - includes security updates with up to 10 hours of site regression testing. Any issues will be rectified unless they exceed the included 5 hours of development fixing included, in which case remedial action will be estimated for client agreement before deploying to the live environment. 

‍Initial Setup: £685
Then £2,125 for monthly updates or £3,100 for quarterly updates