GHX NEXUS is a cloud-based catalogue management system that pulls up-to-date item and contract data into one place and can be accessed through an easy to search, web-based interface or integrated into your existing ERP. NEXUS supports both supplier and buyer managed content providing linkage to contracts and GS1 data.


  • Data is stored in the cloud
  • Over 2.5 million clean, up-to-date, healthcare data items, immediately available
  • Load your own catalogue data directly
  • Notification of amendments from your suppliers
  • Approve or reject supplier data amendments
  • Allows price file loading for every distinct agreement
  • Price intelligently linked to the product in the catalogue
  • Simple, easy-to-use user interface to upload and manage data
  • Feeds correct product information (including GTINs) to other systems
  • GS1 compliant GTIN validation


  • Can be accessed anywhere from any device
  • Creates a portal where supplier and provider can interact
  • Validate ordered products and services, improving fulfilment and reducing queries
  • Single source-of-truth for all parties and other systems
  • Reduced conflicts and swifter resolution process
  • Greater visibility of all shared data, reducing the administrative burden
  • Supports inventory management systems with access to the right data


£8000 per unit per year

Service documents


G-Cloud 11

Service ID

1 2 4 3 6 2 6 6 2 2 5 2 9 1 7



James Minards

0845 620 2222

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Maintenance and updates do not usually require the service to be made unavailable. Where this is required any downtime will be scheduled between 18:00-20:00 to minimise impact to customers.
System requirements
  • Access to the internet
  • Defined versions of web browsers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Priority 1 - Target 1 hour. Priority 2 - Target 2 hours. Priority 3 - Target 4 hours. Priority 4 - Target next working day. Out of hours support can be provided on request. Additional fees apply.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels GHX provides a single comprehensive level of support. When an incident is reported to the UK support team, priority is established based upon the business impact to the customer, using the CRM system. OLA's are in place for escalations beyond the support team to technical teams. Support and an account manager is provided as part of the annual subscription fee.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started GHX provides onsite or remote online training as agreed with the customer. Online user documentation is available through the user interface.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Users can extract their data through the user interface at the end of their contract or via request to the support team.
End-of-contract process At the end of the contract, GHX will support the customer with extraction of their data. There is no additional cost to the customer for extraction of the data through the user interface. In addition, GHX works closely with the customer on an Exit Plan to enable continuity of service with a smooth and secure transition of service to them or a replacement service provider.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface NEXUS provides an intuitive user interface supporting full management of the customer's data and applicable business processes.
Accessibility standards None or don’t know
Description of accessibility NEXUS is designed to be highly flexible with easy-to-use functions that are accessible for all users.
Accessibility testing So far, GHX has had no customer requests to support assistive technology, but will look to support this where needed.
Customisation available No


Independence of resources To maintain high levels of service availability and provide services that scale to meet growing supply chain demands, GHX leverages an Information Technology Service Management (ITSM) framework committed to continual service improvement. Guided by the Information Technology Infrastructure Library (ITIL), GHX integrates people, process and technology to manage its vital supply chain services. This comprehensive and coordinated approach to service management enables GHX to continue to meet the evolving 24/7/365 demands of the healthcare supply chain.


Service usage metrics Yes
Metrics types Number of Catalogues, Number of Published Catalogue Items, Number of Unpublished Catalogue Items, Number of Contracts, Number of Published Contract Items, Number of Unpublished Contract Items, Number of Catalogues Awaiting Approval, and Number of Contracts Awaiting Approval.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data through the user interface.
Data export formats
  • CSV
  • Other
Other data export formats XLSX
Data import formats
  • CSV
  • Other
Other data import formats
  • TSV
  • TXT
  • GS1 XML CIN v3.1

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability GHX understands the critical nature of the services provided to the healthcare supply chain community. For more than 10 years, healthcare providers, suppliers, distributors and group purchasing organisations have been relying on GHX to provide enterprise-grade services. Year after year, GHX customers consistently rate GHX service availability as one of the top reasons they choose to partner with GHX. GHX provides over 99.9% annual uptime of core Exchange services; processing approximately one million supply chain transactions per day for its healthcare trading partners, including over 4,100 medical providers and 400 medical suppliers.
Approach to resilience Available on request.
Outage reporting GHX proactively monitors the availability of the services we provide. 24/7/365 automated monitoring and alerting. Tier 1, 2, and 3 Customer Care and Application Support centres. Network Operations Centre (NOC) for incident management and customer assurance. Prioritised incident management with response, resolution and communication targets based upon impact and urgency.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access is provisioned to GHX users on a "need to know" basis. GHX maintains on and off-boarding procedures that are test 2x per year during SOC1 and SOC2 audits.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach GHX aligns with the PCI DSS requirements for a security program.
Information security policies and processes GHX maintains information security policies that are updated at least annually. Policies that have been translated (in Dutch, French and German) include: (1) IT Management Policy; (2) Information Security Management Policy; (3) User ID and Password Guidelines; (4) Data Classification and Handling Guidelines; and (5) Reporting Security and Privacy Incidents Procedures. To protect the data in its care, GHX looks to the ISO/IEC 27000 series of standards as the framework for the Company’s information security management system. GHX also looks to best-practice security controls in protecting data in its care, including those published by the National Institute of Standards & Technology (NIST). The GHX security program is managed by its Global Security Operations Director, under the direction of the GHX Vice President, Global Operations and Infrastructure. GHX also maintains a compliance department, managed by the Director of Compliance, under the direction of GHX Vice President, General Counsel. The compliance department is responsible for monitoring compliance with policy documents and engages an independent 3rd party to audit compliance annually (SOC1 and SOC2 audits). The SOC1 and SOC2 audits focus on activities in North America but also include global audit of certain strategic controls.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change Requests are received and reviewed by the change management team for completeness, accuracy and operational readiness, including but not limited to: (1) targeted implementation date; (2) business and security risks; (3) priority; (4) business justification; and (5) any other change-related information. Changes are categorised by: (1) Informational; (2) Patch; (3) Standard; (4) Minor; (5) Major; and (6) Initial Production Release. GHX performs asset inventories to track service components through their lifetime. Change process is used to track changes to assets, including the install and decommissions of assets. Changes are reviewed by the security team for potential security impacts.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach GHX performs quarterly vulnerability scanning to identify vulnerabilities in the infrastructure and applications. GHX performs quarterly penetration testing to assess if the vulnerabilities can be exploited. If exploits are discovered, then GHX will apply applicable patches, remove Internet access to affected systems, or make other changes as necessary to remediate the exploits. Patches are applied to systems on a quarterly basis. GHX’s Global Security Operations Director attends security conferences and subscribes to news feeds to get information about potential threats.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach GHX monitors the systems and investigates alerts from the monitoring tools. GHX investigates security alerts from system logs, office productivity applications, intrusion detection and prevention systems, and tickets submitted by end users to identify potential compromises. GHX follows its incident response procedures to evaluate the incident. Infrastructure and application engineers will be engaged for the technical analysis on incidents and take appropriate action to resolve the incident. GHX Global Security Operations Director oversees the incident investigation, and the GHX Director of Compliance oversees the investigation for breaches of data and requirements for reporting.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach GHX has a defined GHX Security and Privacy Incident Response Plan for responding to incidents. Customers report incidents to GHX customer success team, and the customer success team keeps the customer informed of progress. GHX employees use internal ticket procedure to report incidents.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £8000 per unit per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑