Website Hosting Services

The vendor is required to provide website hosting services, project management services to migrate city’s websites from the current hosting provider and other related services for the city’s websiterequirements.
- To deliver a secure, scalable, and high-performing hosting environment that ensures uninterrupted access to digital content and services.
- The proponent’s solution should provide a cost effective, market proven solution that meets the following requirements:
• Cloud-native infrastructure with high availability and auto-scaling capabilities based on traffic and usage demand; 
• Hosted websites should load quickly and respond reliably to input from visitors; 
• Hosted websites should maintain a minimum uptime of 99.9%, excluding planned maintenance; 
• Hosted websites should be protected from online threats, including malware, viruses, and other security breaches; 
• The hosting service should offer timely and frequent security patching; 
• Ease of use and user management, including intuitive web-based control panels and dashboards
• The service should offer role-based access control and secure user authentication; 
• Automated daily backups with configurable data retention periods
• Disaster recovery capabilities with defined RTO (recovery time objective) and RPO (recovery point objective); 
• Real-time performance and uptime monitoring, with logging for access, errors, and security events, and integration with alerting and incident management tools; 
• 24/7 technical support with defined response and resolution timeframes; 
• Support for ci/cd pipelines and integration with version control systems; 
• Ability to connect with external systems through platform integrations with the solution itself or accessible via APIs; and 
• Compliance with state freedom of information and protection of privacy act (FIPPA), and adherence to the city’s information security protocols.
- The main objectives of the hosting services, such as ensuring website uptime, security, and scalability:
• Provide reliable, continuous access to the city’s websites;
• Ensure high performance, fast response times, and robust security protections;
• Offer regular scheduled maintenance and responsive technical support;
• Support scalable hosting resources to accommodate variations in website traffic and usage;
• Meet data residency and regulatory compliance requirements;
• Enable system monitoring and support generation of detailed and dashboard-level reports;
• Allow city development and content teams to maintain and enhance websites with ease;
• The service will be cost effective with a transparent and predictable pricing model;
• The city can rely on 24/7 customer support with defined service levels for response and resolution; and
• The contractor will provide the necessary technical tools, project management resources, and migration support to transition the city’s websites from the current hosting service.
1. Environment
• Shall offer three different environments: development, staging and production;
• Shall offer content-based routing (layer 7 / application layer);
• Shall perform regular health checks on backend servers;
• Shall support passive health checks (failure detection based on live traffic);
• Shall implement traffic distribution algorithms. e.g., round-robin, least connections, IP has, geographic routing, etc.
• Shall support upload of custom SSL certificates, support for managed certificates, TLS 1.2 or higher;
• Shall support web application firewall (WAF) integration, including DDoS protection, rate limiting, IP blacklisting and whitelisting, SSL policies and https redirection 
• Shall offer reports and dashboards on traffic, latency and failures; shall offer on-demand, detailed logs to support production issue resolution;
• Shall offer high availability and redundancy that is comparable to major industry leaders and
• Shall offer session persistence (e.g., cookie-based session affinity, IP hash, or session token mechanisms)
2. Tech stack compatibility
• Shall offer a Linux-based operating system. ubuntu is preferred; 
• Shall offer web servers that are optimized for Drupal. 
• Preferred options include Nginx and Apache; 
• Shall offer database servers that are optimized for Drupal. 
• Preferred options include MariaDB, MySQL and PostgreSQL; 
• Shall offer Drupal-specific and general http caching mechanisms, such as Redis, Memcached, and varnish; 
• Shall offer writable file directories; 
• Shall support a range of php and Drupal versions, including the latest stable release and supported legacy versions to allow for upgrade planning and application stack compatibility; and 
• Operating system, database, and web server versioning should provide sufficient flexibility and lifecycle support to enable structured upgrade planning.
3. CI/CD and DevOps integration
• Shall support git-based deployment, including integration with common platforms such as GitHub or GitLab; 
• Shall offer automated build and deployment pipelines; and 
• Shall support use of Drush and composer for Drupal development and dependency management.
4. Backup and disaster recovery
• The service shall offer automated, full-site backups at a minimum frequency of once per day; 
• On-demand, manual site backups shall be supported, with appropriate authorization for designated city system administrators; 
• Full site backups should include the database, files, configuration and preferably logs;
• Backup data should be retained in accordance with industry standard; a 30-day retention period is preferred; 
• Backup data should be stored off-server; 
• Backups should be encrypted at rest and in transit 
• Backups should be version controlled and easily retrievable; (8) certification or attestation of compliance with recognized industry standards is highly desirable; 
• Recovery time objectives (RTO) should be comparable to leading PaaS providers, such as 1 to 4 hours; 
• Recovery point objectives (RPO) should be aligned with the specified backup schedule and comparable to leading PaaS providers, such as 24 hours or less; 
• The cloud infrastructure shall have built-in redundancy to ensure continuity of service in the event of server failure; and 
• Proponents should support participation in disaster recovery drills.
5. Monitoring and reporting
a. The service should automatically self-monitor for:
• Uptime and availability;
• Performance (e.g., time to first byte, front end and backend page load time, slow transactions and bottlenecks, php execution time, database query performance, etc.);
• Security
• Infrastructure and
• Database
b. Reporting capabilities should include:
• Traffic and analytics (e.g., page-level traffic reports, referrer data, geographic source, search engine crawler activity, bandwidth usage by domain);
• System performance dashboards and automated daily, weekly, or monthly reports;
• Audit trail reporting (e.g., user logins, configuration changes); and
• Compliance reporting (e.g., HIPAA, PCI DSS, and other applicable standards).
c. Alerting and notification features should include:
• Threshold-based alerts. (e.g., CPU usage > 90%, TTFB > 500 MS);
• Integration with third-party applications, such as Splunk; and
• Webhook or API-based alerting and integration.
6. Web application firewall (WAF)
• Http/https traffic filtering;
• Protection against OWASP top 10, including:
o SQL injection
o Cross-site scripting (XSS)
o Cross-site request forgery (CSRF)
o Remote file inclusion (RFI)
o Security misconfiguration
• Behavioral and anomaly detection
• Blocking and rate limiting
o Block bots, web scrappers and dos attacks
o Rate limiting applied to specific users or IP addresses
• Access control
o Geo-blocking, IP whitelisting/blacklisting, and header inspection
• logging and monitoring of WAF activity
• Virtual patching to mitigate known vulnerabilities
• SSL/TLS termination and inspection
• Custom rule sets. allows for implementation of city specific security policies
• Content delivery network (CDN) and performance optimization
7. Digital asset management (dam)
• Centralized asset management
o Storing and organizing
o Metadata tagging
o Advanced search
o Version control
o File history tracking
• Portals & templates
o Share curated collections of assets with internal teams or external partners
o Design and distribute localized, on-brand collateral using dynamic templates
• Workflow and approvals
o Customizable workflows
o Ability to comment for collaborative feedback
• Metadata management
o Custom metadata schemas to align with business taxonomy
o Ai assisted auto-tagging capabilities to streamline metadata assignment
• Access and permissions
o Granular role-based access control (RBAC)
• Distribution and publishing
o Easy integration with city’s Drupal CMS
o Integration with social media and other marketing platforms
• Analytics and insights
o Track asset usage, downloads, and engagement to measure content performance
o Insights to inform content strategy and ROI
• Security and compliance
o Enterprise-grade security features including SSO (single sign-on), audit logs, and encryption
o Tools for rights management and expiration alerts
• Integrations
o Connects with multiple marketing tech platforms
o APIs and connectors for custom integrations
• Scalability
o Capacity to support a growing library of digital assets
o Ability to accommodate expanding and complex team structures
8. Data residency requirement
• All hosted data, including files, databases, backups, and logs, must reside exclusively on infrastructure located within territory.
• The hosting provider must confirm that:
o No data is transferred, replicated, or stored outside country at any time, including during backup, disaster recovery, or CDN operations.
o Any third-party services (e.g., CDN, monitoring, DNS) integrated with the hosting solution also comply with country data residency laws or have country hosting options.
- Providing the project management services and technical subject matter expertise to support the city in migrating the three listed websites from the current hosting service provider to the proponent’s web hosting platform.
- The hosting service migration project shall have clearly defined milestones and phase-specific deliverables.
- Contract Period/Term: 1 year