Terms of Use for GOV.UK Platform as a Service

You will need to read and agree to these Terms of Use before using GOV.UK PaaS.

Changes we’ve made to the Terms of Use

11 December 2019

Added requirement that tenants must regularly update their users and user permissions

Added requirement that tenants must get the right level of approval in their organisation before starting to use a paid quota

Clarified that emergency support is only available for live services

Removed requirement that tenants must comply with 12 factor development principles

Minor changes to make the Terms of Use more readable and accessible

21 June 2019

Various minor changes to account for non-Crown users and variable billing periods

29 April 2019

New references to Non Crown MOU

15 May 2018

Amendments to data policy

13 January 2017

Document approved

Dependencies

These Terms of Use mention the GOV.UK PaaS Memorandum of Understanding.

The GOV.UK PaaS Memorandum of Understanding has been agreed by your department or organisation. Any revision of these Terms of Use may also be issued as version update to the signatory of the Memorandum of Understanding.

Terms of Use

These Terms of Use apply to our and your service’s use of GOV.UK PaaS.

Before you host a live service or private data on GOV.UK PaaS, your government organisation must have accepted and signed the GOV.UK PaaS Memorandum of Understanding.

Summary

If we accept your request to use GOV.UK PaaS, we agree to:

  • host your service’s application or applications
  • ensure that GOV.UK PaaS complies with the service standard
  • ensure that GOV.UK PaaS has obtained suitable government security accreditation
  • maintain the security of GOV.UK PaaS
  • provide support for GOV.UK PaaS
  • minimise downtime of GOV.UK PaaS
  • alert you to any performance issue with GOV.UK PaaS
  • pass on the cost of hosting your service and its applications, including any backing services, via a regular invoice
  • continuously iterate GOV.UK PaaS in line with user needs
  • keep your data secure and comply with Data Protection Legislation/GDPR.

You agree to:

  • get the right level of approval in your organisation before you start using a paid quota
  • ensure that your service has passed government security accreditation and the Service Standard assessment, where necessary
  • only store data classified as ‘official’ and not store data classified as ‘secret’ or ‘top secret’
  • maintain the security of your applications
  • make sure you regularly update who has access to GOV.UK PaaS and their user permissions
  • not do anything which would, or is likely to, compromise the security or integrity of GOV.UK PaaS or its Sub-Contractors
  • tell us before you load or security test your service/applications
  • not load or security test GOV.UK PaaS or the underlying infrastructure
  • support your service/applications
  • support the users of your service/applications
  • let us know if you experience an issue with GOV.UK PaaS by using our ticketing system
  • agree to pay the costs as passed onto you by GOV.UK PaaS team.

Before you can use GOV.UK PaaS for live services and private data you should have:

  • signed the Memorandum of Understanding agreement, if your organisation has not already done so
  • informed the GOV.UK PaaS team that you intend to deploy a live service via gov-uk-paas-support@digital.cabinet-office.gov.uk
  • asked them to upgrade the organisation (org) on GOV.UK PaaS where the service is hosted to a paid quota, if you have not already done so
  • obtained the relevant official level of security accreditation for your service/applications
  • accepted these Terms of Use

The agreement between GOV.UK PaaS and its users

What GOV.UK PaaS agrees to do

Host your development service/applications

We will provide you with a trial account and host your service’s development applications, providing all of the requirements summarised in these Terms of Use have been met.

Host your live service/applications

We will host your service’s live applications, provided the requirements summarised in this document have been met.

Ensure that GOV.UK PaaS complies with the Service Standard

We will ensure that GOV.UK PaaS has passed the service assessment appropriate for its current level of development.

Ensure that GOV.UK PaaS has obtained its government security accreditation

We will ensure that GOV.UK PaaS has been through the information assurance process to assess information and security risks, to determine appropriate treatments for those risks and to obtain risk acceptance from the Cabinet Office Senior Information Risk Officer (SIRO) for data classified as ‘official.’ This work includes the completion of a Screening Data Protection Impact Assessment (SDPIA), or Full Data Protection Impact Assessment (DPIA) (if required) to ensure compliance with the applicable Data Protection legislation/GDPR. Further information can be found in the ‘We agree to keep your data secure’ section below.

Maintain the security of GOV.UK PaaS

We will inform you in a timely manner if GOV.UK PaaS experiences any security breaches.

We will perform penetration testing on GOV.UK PaaS, so that you don’t have to.

We will ensure that all security or vulnerability updates and patches are applied in a timely manner, and where relevant, we will tell you when we deploy them.

Provide support for GOV.UK PaaS

GOV.UK PaaS provides 24/7 support for live services. We provide a ticketing system and escalation routes for service teams to address incidents.

Minimise down time of GOV.UK PaaS

We have an internal alerting system that will tell us when GOV.UK PaaS is experiencing technical issues that may result in the loss of the platform, and we will take remedial action immediately.

Alert you to any issue GOV.UK PaaS is experiencing

We will ensure that you are informed of any technical issues the platform experiences that may impact your service/applications. You can sign up to see the current status of GOV.UK PaaS and receive alerts on our Statuspage.

Invoice you regularly for using GOV.UK PaaS

The GOV.UK PaaS team will invoice you regularly in arrears, for the cost of hosting your service/applications on GOV.UK PaaS. You will be invoiced either monthly, quarterly or annually, depending on your level of usage.

Continuously iterate GOV.UK PaaS in line with user needs

The GOV.UK PaaS team will continuously iterate the platform in line with tenants’ needs throughout the lifetime of the product. GOV.UK PaaS will do this by ensuring that user research is an integral part of its development.

Keep your data secure

GOV.UK PaaS will store and process tenant admin user data in accordance with our privacy policy. A Data Processing Agreement is contained with the Memorandum of Understanding in which both parties obligations towards Data Protection are set out.

GOV.UK PaaS will store and process tenant data in accordance with our Memorandum of Understanding and Terms of Use.

You are responsible for the protection and security of the data used by your applications in compliance with applicable Data Protection Legislation/GDPR.

GOV.UK PaaS has been through an information assurance process which includes the completion of a Screening Data Protection Impact Assessment (SDPIA) and Full Data Protection Impact Assessment to ensure compliance with the applicable Data Protection Legislation/GDPR.

Cabinet Office/GDS act as Data Processor within the meaning of the Data Protection Legislation/GDPR, as parent organisation of GOV.UK PaaS. Your organisation remains the Data Controller within the meaning of the Data Protection Legislation/GDPR.

If we receive Subject Access Requests which relate to data held by your team or product, we will pass tenants’ details to the GDS channel that made the request to ensure compliance with Data Protection Legislation in order to meet both parties obligations.

We maintain appropriate technical and organisational measures to protect data. We make sure our sub-contractors follow the same procedures.

Give you at least 30 days notice if we change these terms

Any change to these terms will be reflected in this document under "Changes we’ve made to the Terms of Use", and will take immediate effect.

Section 4.8 of the GOV.UK PaaS Memorandum of Understanding for Crown Tenants describes the document change management.

Section 5 of the GOV.UK PaaS Memorandum of Understanding for Non Crown Tenants describes the document change management.

What you as a user agree to do

Get the right level of approval in your organisation before you start using a paid quota

You agree to get approval from the appropriate person or people in your organisation before you ask your GOV.UK PaaS account to be upgraded to a paid quota.

Ensure that your service complies with the Service Standard (where necessary) and has passed government security accreditation.

You agree to ensure that your service has passed the appropriate Service Standard assessment, where necessary.

You agree to assure your service through your organisation’s information assurance (security) process, as required by your organisation. You don’t need to include assurance of GOV.UK PaaS, since we’ve already done that. We can share the work we’ve done with you.

Maintain the security of your applications

You will secure access to your application and ensure that it has all relevant security and vulnerability updates and patches applied in a timely manner.

You will collect and store any logs that you require in order to manage or investigate the operation of your application.

Make sure you regularly update who has access to GOV.UK PaaS and their user permissions

You will regularly review and update the list of users in your GOV.UK PaaS account to ensure that the correct people have access, and that any people who have left your service team have their permissions removed.

You will ensure that you have used the user management tools provided by GOV.UK PaaS to specify an Organisation Manager (with a government or public sector email address).

You will ensure that you have used the user management tools provided by GOV.UK PaaS to specify a Billing Manager (with a government or public sector email address), who will be responsible for paying for the service.

Not compromise the security or integrity of GOV.UK PaaS or any GOV.UK PaaS sub-contractor

You must tell us immediately if you experience any security breaches and comply with the notifications required under the Data Protection Legislation (para 1.8.3 under the Crown Tenant Data Processing Agreement and Schedule 1 para 2.5.6 under the Non Crown Tenant Data Processing Agreement). This is so we can make sure other services running on GOV.UK PaaS, or our sub-contractors, are not affected and that both parties comply with obligations under the Data Protection Legislation/GDPR.

You must follow industry best practices for keeping your API keys and other credentials secure.

You must notify us at least 14 days before performing any load or security testing on your application hosted with GOV.UK PaaS.

You must not conduct any load or security testing on GOV.UK PaaS itself, nor the underlying infrastructure, since we’ve already done that - we can share the work we’ve done with you.

Support the service/applications that are hosted on GOV.UK PaaS

You are responsible for providing technical support for your service/applications while it is hosted on GOV.UK PaaS. GOV.UK PaaS team will only provide technical support for the availability of the platform itself.

Provide user support for the users of your service/applications

You are responsible for continuing to provide user support (including assisted digital support) for the users of your service/applications.

Let us know if you experience an issue with GOV.UK PaaS via our ticketing system

If you experience an issue with GOV.UK PaaS, you will let us know via our ticketing system.

Pay for the hosting resources your service/applications use, including for any backing services, which GOV.UK PaaS team will pass on to you

You will pay the invoice you receive from Government Digital Service charging you for the space you use to host your service/applications and additional backing services and additional platform costs. A full breakdown of what we charge for is in section 4.1 of the Crown Tenant Memorandum of Understanding or at Schedule 2 of the non Crown Tenant Memorandum of Understanding.

You will pay this invoice in full within 30 days.

Leaving GOV.UK PaaS

Please let the GOV.UK PaaS team know if you want to remove your service/applications from the platform by emailing gov-uk-paas-support@digital.cabinet-office.gov.uk. We’ll close your account and all of your data will be deleted.

Suspending or Removing a Service

GOV.UK PaaS may suspend or remove a service if it is in significant breach of these Terms of Use.