Omegabit facilities are SOC-2 audited and compliant (see attached certification statement).  This addresses the standards and controls that are needed and typical of a HIPAA, FERPA, or PCI-I compliant implementation.  Our NOC has also been PCI-I certified for other tenants that have elected for an independent audit.  However, in order to promise compliance to HIPAA, FERPA, or PCI, typically requires that an independent audit be applied throughout the logical application layer, including your specific Liferay implementation.  Our standard compliance is usually sufficient for these applications, but assumes that the application owner/sponsor (you), are taking responsibility for compliance that must occur at the OS and application layers, for which you are in control.  Omegabit hosts a number of healthcare related sites that are customer self-certified as HIPAA compliant based on this rationale and their own security practices.  (Caution:  Any provider that tells you that you get HIPAA compliance out-of-the-box is skirting the issue). 

Omegabit does and will advise on these best practices, and is happy to participate and support an ongoing standards audit for any of these levels of compliance by a third party entity.

Costs for actual HIPAA/FERPA or PCI-I type certification specific for a given Customer implementation typically run $40K-$65K/year to perform an annual audit and maintain the necessary standards and compliance procedures and documentation required to satisfy future audits.

Omegabit facilities are SOC-2 compliant; this is considered the modern and more scrupulous replacement for SAS 70 compliance in industry. The SOC-2 compliance audit is performed every 18-24 months.  

Passed with no successful exploits or exceptions; May 2017; details cannot be divulged due to its proprietary and sensitive nature.

Omegabit features an comprehensive and robust high-availability host infrastructure with redundancy and alternate location disaster recovery capabilities including multiple layers of data backup and archive. This includes daily local SAN and backup snapshots, and offsite archives. See SOW-SLA for standard terms, which can be adjusted to meet the specific needs of this implementation. Passed last tests with no successful exploits or exceptions; May 2017; details cannot be divulged due to its proprietary and sensitive nature.

Actual size and licensing costs may vary according to details of the implementation that will be refined with the cooperation of the implementation team and Omegabit project team during the design phase of the engagement, under the direction of the client.

Omegabit services are incremental (e.g. changes to RAM, CPU, bandwidth, etc.), and month-to-month.  Omegabit will honor fixed pricing and in some cases may be able to extend discounts for longer-term obligations, and is also able to support multi-year term commitments.  The proposed costs are framed as annual costs, but can be pro-rated.  Omegabit also supports monthly and annual pre-paid billing with rollover support for unused resources.

Due to the nature of application hosting, these practices are core and inherent to our regular of operations. A TOC outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI, or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see also, the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

Omegabit provides extensive security training following best practices for PCI, FERPA, FEDRAMP and similar compliance modeled on industry standards and best practices. This includes emphasis on traditional IT and host infrastructure security for Internet providers, as well as specialized training relating to custom application designs and the implementation of Liferay, specifically. Many practices are modeled after requirements established from its broad base of customers operating sensitive applications for finance, healthcare, government, education and similar purposes. Omegabit is able to support most any compliance requirement and typically will establish operational policies that are considerate of best practices and the specific requirements of the Customer. A Table of Contents (TOC), outlining procedural content has been provided for reference; full content is obfuscated due to its proprietary and sensitive nature. The following outlines are provided: "Omegabit Disaster Recovery Plan TOC", "Omegabit IT Security Handbook", and the "Omegabit Employee Handbook". Collectively, these documents cover many of the issues identified in this list. Other items are covered by our Operational Wikis. Omegabit is also able to maintain a custom policy and procedures for customers with special needs, e.g. PCI or similar compliance. A sample policy statement has been provided of an example maintained with a PCI compliant tennant. Please see the attachment "Federal Reserve Bank of New York - Omegabit Operations Policy Guidelines and Recommendations".

Severity I (services unavailable), and Severity II (services severely degraded): issues should always be reported by telephone, and optionally by email. An initial response time within 2 hours is promised for Severity I issues, and 4 hours for Severity II issues, regardless of notification by automated alert or customer contact.

Severity III (non-critical services degraded, non-operations critical, or relating to a known Liferay behavior or limitation, non-critical change order requests, inquiries concerning using Liferay, etc.): issues should be communicated by email, and optionally by telephone. An initial response time within 24 hours, during normal business operating hours (Monday - Friday, 10am - 6pm, PT), is promised for Severity III issues.

See also the Liferay Enterprise Edition SLA for service and response times, which vary by level of Support Subscription.

Yes.  Omegabit monitoring and response is 24x7x365.  Advanced Professional Services support is available for support that falls outside the scope of the standard SLA. 

Liferay Enterprise Edition Support Subscriptions are available in Gold and Platinum tiers with respective business-hour vs. 24x7 response options available. 

Omegabit's primary support role is to ensure a stable and reliable environment, to monitor for signs of trouble and to provide assistance with issues like plugin deploys and configuration adjustments.

Omegabit monitors for and respond to outages 24x7x365 with a response time of 4hrs or less. The infrastructure is highly redundant to help protect against unplanned outages at the physical layer, and we will work with you to ensure a similarly stable logical configuration to the best of our abilities. Omegabit does not assume responsibility for outages due to customizations or modifications to the system; for example, if a custom plugin causes breakage to the portal, our recommendation will be to uninstall the plugin.

Email support is responded to 10am-6pm PST, and non-critical support requests can take up to 48hrs, but are typically responded to on the same-day.

Patches relating to security or access control will be prioritized over other non-critical tasks and expedited wherever possible. Software patches requiring special personnel or procedures, an extended outage, or client-side testing and coordination will be applied at best possible speed, and typically take a minimum of 48 hours and up to 5 business days to coordinate and execute. 

● Omegabit accepts support requests by email and telephone: Email Support: support@omegabit.com

● A Customer specific trouble ticket Web interface is also available as an option to report and manage service tickets for larger teams.  Credentials and connection information are supplied at the time of account activation.

● Telephone Support: 877-411-2220 x2

● 24x7 Monitoring, On-site Network Administration & Security
● Daily backups of full infrastructure, offsite archives, and disaster recovery procedures
● Fault-tolerant battery + generator backup "continuous" power
● Carrier redundant facility w/direct cross connects to: SBC, Qwest, TWTC, O1, Broadwing and more
● Enhanced fire suppression (VESDA & other measures)
● Seismic rack mount protection
● Separate physical fiber entrances
● Independent network monitoring 24x7x365 and on-premises attendance and biometric security
● Omegabit monitoring 24x7x365 of critical applications and server statistics

Omegabit has operated exclusively as a Liferay Certified Enterprise Edition Hosting and Support Services company since 2008.  It has been providing custom enterprise portal design and implementation services since 1997.  Omegabit's professional team is comprised of approximately 20 individuals with a deep background of experience building and operating high-performance, rich UI and mission-critical Liferay implementations for government, healthcare, finance, education, commercial and .com/branded sites for more than a decade.

Please see the Omegabit Hosting and Services SLA for a breakdown of incremental costs and options, service terms, warranties and other related details

As the largest single provider of Liferay managed hosting solutions, Omegabit provides hosting services for over 500 Liferay portal implementations spanning Education, Government, Finance, Healthcare, and other vertical markets.  Omegabit is also exclusively recognized as the only hosting services provider authorized to provide Liferay Enterprise Edition Tier I technical support, and to offer comprehensive managed services throughout the entire Liferay application stack.

Omegabit's network operates on a co-op principle. Our hosting facility has multiple 10Gbit carrier-class (OC) connections to the Internet and we do not throttle or limit the throughput of your system by default. What this means is that peak traffic to your site can spike substantially beyond any practical limit for brief periods with no impact on cost to you. Our carrier charges us for the average of peak 95 percentile of our traffic. This is commonly referred to in the industry as 95% or "burstable" billing.  In this co-op model, customers typically enjoy performance that is well beyond the practical limits of a standard hosting agreement by sharing a larger pipe, collectively.                                                                                                                                                                                                                 Omegabit does plan for a certain amount of bandwidth to be utilized by our installations, on average, over time. Our packages scale up or down accordingly. We do monitor usage trends for our installations. If your system is consistently using a disproportionate amount of co-op bandwidth, we may opt to offer you additional guaranteed sustained throughput at a competitive market rate, or to throttle the overall throughput of your system to meet or exceed your minimum guaranteed throughput at your discretion.

The specific size of the client infrastructure is dependent upon implementation and design decisions that will occur after this selection process.  Omegabit has provided a proposed footprint that is typical of a portal implementation meeting the stated requirements.  It includes an estimated bandwidth budget that is considerate of the included allowance, which scales up or down according to the number of server nodes subscribed.

Omegabit provides an infrastructure that is typical of the Liferay Reference Architecture.  High Availability and Fault Tolerant features will vary by SLA.

Omegabit operates a private, Liferay-optimized cloud infrastructure designed specifically for optimal performance, stability, and reliability.  Infrastructure is never over allocated, by policy, and typically is operating at <50% capacity across any physical server.  We perform regular monitoring and analysis to ensure that no backend cloud infrastructure bottlenecks exist to inhibit the performance of the client VMs.  Notably, Omegabit employs high-end SSD accelerated SAN storage and 10GB backplanes for cloud infrastructure as disk path I/O is a common bottleneck with generic cloud infrastructures.  All CPU, RAM, and disk allocations are reserved and guaranteed.

All features and configuration is performed with consideration for optimal application performance across the application stack including the network, disk, cpu, JVM, db, Apache, and other related layers.  Omegabit specializes in Liferay runtime optimization and TandemSeven is an expert implementer of Liferay architecture.  Collectively, our teams are able to provide an unmatched level of expertise relating to the theoretical design and practical application of your Liferay design to ensure the best possible performance for a given use case.

Data encryption is supported as a special requirement in the runtime. All backup and archive storage is encrypted. Typically, it is most practical and efficient to consider satisfying any encryption requirements inside Liferay at the metadata storage level during the application design phase. However, Omegabit is able to accommodate bulk file-system level storage encryption in the runtime on a needs basis.

This is documented in Omegabit Internal Operations Wiki

This is documented in Omegabit Disaster Recovery Handbook, Section 1.1 to 1.4 and Section 2.3 ref: Omegabit Disaster Recovery Plan TOC

We consider any intrusion to be a "Severity I" class event.  Which, per our SLA requires a response time of <2hrs.  In reality, our 24x7 operations staff will respond to any Severity I event the instant it is detected.  I've attached  boiler-plate/generic copy of our SLA and am happy to produce a named/completed version for a given stack if of benefit (this one calls out "sticker" and a la carte pricing and is OK to share as-is).  

In the event of any detected incident, including known breach or ongoing security intrusion, performance degradation, major change in performance profile, etc., notice is provided to the customer as soon as practical. Typically, within minutes provided we are not actively triaging and providing emergency responding to the issue.  We consider the ownership of security related issues to be a joint-responsibility along with the application sponsor.  Because, in many cases the risk may be specific to the customer's implementation of the portal, and we must be in communication with the owner to permanently resolve the issue if not to triage and block it, temporarily.  A 24hr point of contact with the customer is preferred for emergency incident notification, which can include email and telephone contact depending on severity and customer preference.

Yes, for specific audit log event analysis we use a combination of tools including but not limited to Splunk and Dynatrace SaaS; additional software subscription and fees apply for a dedicated implementation of reporting facilities for Client use and self-reporting.

This is a configurable environment option.

Adjustable per Client requirements.

Auditing and documentation is extensive and method varies by task/layer of change in infrastructure; relevant changes are documented in customer facing change management logs. Additional automated auditing is available as part of a custom configuration at any/all layers of the infrastructure by combining the appropriate facilities for each layer (Omegabit change management, inside OS runtime, Inside Liferay runtime, etc.). Liferay also offers extensive customizable auditing features and capabilities for in-Liferay event logging Liferay and Omegabit confiturations are capable of supporting most any auditing requirement stipulated. Additional configuration and services fees may apply.

This is a configurable environment option.

This is a configurable environment option. Execution of privileged actions and escalation in the OS are logged. All facets of auditing and logging are configurable.