Punchout Catalogue

catalog360 is a proven ready-to-go PunchOut e-commerce solution, which enables suppliers to connect their store directly to the buying software used by purchasing departments of large organisations using the cXML or SAP Open Catalog Interface (OCI) standards.


  • Powerful Web-based Product eCatalog (PIM)
  • Bulk Catalogue Import/Export using Microsoft Excel
  • Integrated with SAP (OCI), Ariba, Oracle or any cXML


  • Easy-to-use and fast product display
  • Instant Search feature


£3600.00 per licence per quarter

  • Free trial available

Service documents

G-Cloud 9



James Naylor

07984 598 598

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Catalogue360 E-Procurement Platform
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Browsers supported: Google Chrome - latest version (recommended)
  • Microsoft Edge - latest version Microsoft Internet Explorer Version 10+
  • Firefox - latest version

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email Support at
Telephone Support on via Toll Free Number 24 hours Monday to Friday
Response Time: 4 hours Monday to Friday

Email support only at weekends
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard Support (M-F 9 to 5)
Enterprise Technical Support (M-F 24 hrs)
Platinum Technical Support (24/7)

The cost of the support levels is dependent on user numbers and the proportion of user types i.e. portal users, admins, super-users etc.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There are detailed help files to explain all of the admin functions. Online training can be viewed on the catalog360 website for portal users. Onsite training can also be provided.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Data can be extracted in a variety of formats using the reporting function.
End-of-contract process On completing the notice period as set out in the Terms and Conditions, the customers' access will be turned off. There are no costs attached to the end of the contract. Data will be stored for 90 days from end of contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards None or don’t know
Description of accessibility The platform utilizes Browser Access Keys.
Accessibility testing In-house
What users can and can't do using the API The API covers every entity in the datamodel. The Admin has export and import features for all core entities. catalog360 has a rich import/export Excel Manager spreadsheet, covering all aspects of the catalog data. Custom bulk-load jobs can be created as the need arises.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The solution is highly configurable. Admin users have access to a Settings page that enables control of branding of, user permissions, catalogue views, approval workflows and order workflows. The platform has a powerful reporting function that enables users to design reports based upon their own queries.


Independence of resources The catalog360 platform utilises AWS Elastic Load Balancers to automatically scales request handling capacity when demand is increased


Service usage metrics Yes
Metrics types Catalog360 supplies detailed audit trails of both Admin and Portal users. Including username, date/time, IP address and actions.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Currently we use AES 256 bit encryption. Keys are per tenant and can be cycled. Each encrypted field is stored with related codes indicating the key version.
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Via the Reporting Function
Data export formats
  • CSV
  • Other
Other data export formats
  • Xls
  • Xlsx
  • .txt
  • .html
  • Json
  • Xml
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats
  • Xls
  • Xlsx

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Currently we use AES 256 bit encryption. Keys are per tenant and can be cycled. Each encrypted field is stored with related codes indicating the key version.
Data protection within supplier network Other
Other protection within supplier network Currently we use AES 256 bit encryption. Keys are per tenant and can be cycled. Each encrypted field is stored with related codes indicating the key version.

Availability and resilience

Availability and resilience
Guaranteed availability Web Site - Performance of 99.99% (scheduled maintenance excluded)
Database - Performance of 99.99% (scheduled maintenance excluded)

Service Unavailability Credits:

Less than 4 hours: None
Between 4 and 24 hours: 25% of monthly fee or 8 days of free web hosting service
More than 24 hours: 50% of monthly fee or 15 days of free web hosting service
Approach to resilience Available on request
Outage reporting Outages are reported on a public dashboard

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels The solution feature pre-defined Roles that are granted permission tokens for functional areas and function points. The roles can be customised. Groups provide organisational management and can be assigned to a Member to manage. Permission tokens can be directly mapped to Groups. Users can inherit permissions from both the roles and the groups assigned to them, as well as be granted specific permissions directly.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Qualys
PCI DSS accreditation date 2010
What the PCI DSS doesn’t cover Nothing
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach Catalog360 are in the process of adopting a Security Governance Policy which is available on request.
Information security policies and processes Catalog360 are in the process of adopting an Information Security Policy which is available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Any changes to the software will go through quality assurance cycle, typically involving a QA cycle, Product Management assurance, User acceptance. We follow a 6 week release cycle. The release schedule is published. Each release is supported by a release note which describes the changes in the release & updated documentation to support the changes.
Configuration management:
All the services and components are source controlled using GitHub. Jenkins is used for continuous integration which runs regression. Octopus is used to promote the changes in pre-defined workflow.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our infrastructure team apply a best-in-class security policy to each device deployed, followed by 3rd party scanning.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We utilize Amazon's CloudWatch services and two 3rd party services 1) Stackdriver to monitor each component of the infrastructure 2) Pingdom external site availability monitoring and SLA reporting.
Web facing nodes (configured in a multi-node redundant manner) can be re-launched from archived server images, into a new region if need be within minutes of a failure.
Incident management type Supplier-defined controls
Incident management approach All communications are managed by a third party service and can be found on the url:

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3600.00 per licence per quarter
Discount for educational organisations No
Free trial available Yes
Description of free trial There is a free trial option that can be registered for our the website. This full system with no restrictions.

The Trial period is for 30 days but can be extended on request at the supplier's discretion.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑