11 December 2019
Added requirement that tenants must regularly update their users and user permissions
Added requirement that tenants must get the right level of approval in their organisation before starting to use a paid quota
Clarified that emergency support is only available for live services
Removed requirement that tenants must comply with 12 factor development principles
21 June 2019
Various minor changes to account for non-Crown users and variable billing periods
29 April 2019
New references to Non Crown MOU
15 May 2018
Amendments to data policy
13 January 2017
Before you host a live service or private data on GOV.UK PaaS, your government organisation must have accepted and signed the GOV.UK PaaS Memorandum of Understanding.
If we accept your request to use GOV.UK PaaS, we agree to:
- host your service’s application or applications
- ensure that GOV.UK PaaS complies with the service standard
- ensure that GOV.UK PaaS has obtained suitable government security accreditation
- maintain the security of GOV.UK PaaS
- provide support for GOV.UK PaaS
- minimise downtime of GOV.UK PaaS
- alert you to any performance issue with GOV.UK PaaS
- pass on the cost of hosting your service and its applications, including any backing services, via a regular invoice
- continuously iterate GOV.UK PaaS in line with user needs
- keep your data secure and comply with Data Protection Legislation/GDPR.
You agree to:
- get the right level of approval in your organisation before you start using a paid quota
- ensure that your service has passed government security accreditation and the Service Standard assessment, where necessary
- only store data classified as ‘official’ and not store data classified as ‘secret’ or ‘top secret’
- maintain the security of your applications
- make sure you regularly update who has access to GOV.UK PaaS and their user permissions
- not do anything which would, or is likely to, compromise the security or integrity of GOV.UK PaaS or its Sub-Contractors
- tell us before you load or security test your service/applications
- not load or security test GOV.UK PaaS or the underlying infrastructure
- support your service/applications
- support the users of your service/applications
- let us know if you experience an issue with GOV.UK PaaS by using our ticketing system
- agree to pay the costs as passed onto you by GOV.UK PaaS team.
Before you can use GOV.UK PaaS for live services and private data you should have:
- signed the Memorandum of Understanding agreement, if your organisation has not already done so
- informed the GOV.UK PaaS team that you intend to deploy a live service via email@example.com
- asked them to upgrade the organisation (org) on GOV.UK PaaS where the service is hosted to a paid quota, if you have not already done so
- obtained the relevant official level of security accreditation for your service/applications
The agreement between GOV.UK PaaS and its users
What GOV.UK PaaS agrees to do
Host your development service/applications
Host your live service/applications
We will host your service’s live applications, provided the requirements summarised in this document have been met.
Ensure that GOV.UK PaaS complies with the Service Standard
We will ensure that GOV.UK PaaS has passed the service assessment appropriate for its current level of development.
Ensure that GOV.UK PaaS has obtained its government security accreditation
We will ensure that GOV.UK PaaS has been through the information assurance process to assess information and security risks, to determine appropriate treatments for those risks and to obtain risk acceptance from the Cabinet Office Senior Information Risk Officer (SIRO) for data classified as ‘official.’ This work includes the completion of a Screening Data Protection Impact Assessment (SDPIA), or Full Data Protection Impact Assessment (DPIA) (if required) to ensure compliance with the applicable Data Protection legislation/GDPR. Further information can be found in the ‘We agree to keep your data secure’ section below.
Maintain the security of GOV.UK PaaS
We will inform you in a timely manner if GOV.UK PaaS experiences any security breaches.
We will perform penetration testing on GOV.UK PaaS, so that you don’t have to.
We will ensure that all security or vulnerability updates and patches are applied in a timely manner, and where relevant, we will tell you when we deploy them.
Provide support for GOV.UK PaaS
GOV.UK PaaS provides 24/7 support for live services. We provide a ticketing system and escalation routes for service teams to address incidents.
Minimise down time of GOV.UK PaaS
We have an internal alerting system that will tell us when GOV.UK PaaS is experiencing technical issues that may result in the loss of the platform, and we will take remedial action immediately.
Alert you to any issue GOV.UK PaaS is experiencing
We will ensure that you are informed of any technical issues the platform experiences that may impact your service/applications. You can sign up to see the current status of GOV.UK PaaS and receive alerts on our Statuspage.
Invoice you regularly for using GOV.UK PaaS
The GOV.UK PaaS team will invoice you regularly in arrears, for the cost of hosting your service/applications on GOV.UK PaaS. You will be invoiced either monthly, quarterly or annually, depending on your level of usage.
Continuously iterate GOV.UK PaaS in line with user needs
The GOV.UK PaaS team will continuously iterate the platform in line with tenants’ needs throughout the lifetime of the product. GOV.UK PaaS will do this by ensuring that user research is an integral part of its development.
Keep your data secure
You are responsible for the protection and security of the data used by your applications in compliance with applicable Data Protection Legislation/GDPR.
GOV.UK PaaS has been through an information assurance process which includes the completion of a Screening Data Protection Impact Assessment (SDPIA) and Full Data Protection Impact Assessment to ensure compliance with the applicable Data Protection Legislation/GDPR.
Cabinet Office/GDS act as Data Processor within the meaning of the Data Protection Legislation/GDPR, as parent organisation of GOV.UK PaaS. Your organisation remains the Data Controller within the meaning of the Data Protection Legislation/GDPR.
If we receive Subject Access Requests which relate to data held by your team or product, we will pass tenants’ details to the GDS channel that made the request to ensure compliance with Data Protection Legislation in order to meet both parties obligations.
We maintain appropriate technical and organisational measures to protect data. We make sure our sub-contractors follow the same procedures.
Give you at least 30 days notice if we change these terms
Section 4.8 of the GOV.UK PaaS Memorandum of Understanding for Crown Tenants describes the document change management.
Section 5 of the GOV.UK PaaS Memorandum of Understanding for Non Crown Tenants describes the document change management.
What you as a user agree to do
Get the right level of approval in your organisation before you start using a paid quota
You agree to get approval from the appropriate person or people in your organisation before you ask your GOV.UK PaaS account to be upgraded to a paid quota.
Ensure that your service complies with the Service Standard (where necessary) and has passed government security accreditation.
You agree to ensure that your service has passed the appropriate Service Standard assessment, where necessary.
You agree to assure your service through your organisation’s information assurance (security) process, as required by your organisation. You don’t need to include assurance of GOV.UK PaaS, since we’ve already done that. We can share the work we’ve done with you.
Maintain the security of your applications
You will secure access to your application and ensure that it has all relevant security and vulnerability updates and patches applied in a timely manner.
You will collect and store any logs that you require in order to manage or investigate the operation of your application.
Make sure you regularly update who has access to GOV.UK PaaS and their user permissions
You will regularly review and update the list of users in your GOV.UK PaaS account to ensure that the correct people have access, and that any people who have left your service team have their permissions removed.
You will ensure that you have used the user management tools provided by GOV.UK PaaS to specify an Organisation Manager (with a government or public sector email address).
You will ensure that you have used the user management tools provided by GOV.UK PaaS to specify a Billing Manager (with a government or public sector email address), who will be responsible for paying for the service.
Not compromise the security or integrity of GOV.UK PaaS or any GOV.UK PaaS sub-contractor
You must tell us immediately if you experience any security breaches and comply with the notifications required under the Data Protection Legislation (para 1.8.3 under the Crown Tenant Data Processing Agreement and Schedule 1 para 2.5.6 under the Non Crown Tenant Data Processing Agreement). This is so we can make sure other services running on GOV.UK PaaS, or our sub-contractors, are not affected and that both parties comply with obligations under the Data Protection Legislation/GDPR.
You must follow industry best practices for keeping your API keys and other credentials secure.
You must notify us at least 14 days before performing any load or security testing on your application hosted with GOV.UK PaaS.
You must not conduct any load or security testing on GOV.UK PaaS itself, nor the underlying infrastructure, since we’ve already done that - we can share the work we’ve done with you.
Support the service/applications that are hosted on GOV.UK PaaS
You are responsible for providing technical support for your service/applications while it is hosted on GOV.UK PaaS. GOV.UK PaaS team will only provide technical support for the availability of the platform itself.
Provide user support for the users of your service/applications
You are responsible for continuing to provide user support (including assisted digital support) for the users of your service/applications.
Let us know if you experience an issue with GOV.UK PaaS via our ticketing system
If you experience an issue with GOV.UK PaaS, you will let us know via our ticketing system.
Pay for the hosting resources your service/applications use, including for any backing services, which GOV.UK PaaS team will pass on to you
You will pay the invoice you receive from Government Digital Service charging you for the space you use to host your service/applications and additional backing services and additional platform costs. A full breakdown of what we charge for is in section 4.1 of the Crown Tenant Memorandum of Understanding or at Schedule 2 of the non Crown Tenant Memorandum of Understanding.
You will pay this invoice in full within 30 days.
Leaving GOV.UK PaaS
Please let the GOV.UK PaaS team know if you want to remove your service/applications from the platform by emailing firstname.lastname@example.org. We’ll close your account and all of your data will be deleted.
Suspending or Removing a Service