Firefly Online Limited

Local Supply Chain

Supplier Relationship Management software for Public Sector organisations who manage construction related services including frameworks, pipelines, supply chains, approved lists, assessments, projects, procurements & performance. Focus on engaging 'local' suppliers & creating a fair & level playing field for SME's who wish to engage with Public Sector construction related spend.


  • Framework Management
  • Project Management
  • E-procurement (Pipeline, EOI, ITT, Sealed Bids, Awards & Feedback)
  • Supply Chain Management
  • Supplier engagement (SMEs, Micro, Social Enterprise etc)
  • Tracking local spend & engaging local markets
  • Market Intelligence
  • Advertising pipeline & work opportunities
  • Supplier performance management
  • Microsoft Azure Cloud based software


  • Transparency across frameworks, projects, procurement and supply chain
  • Improved collaboration across business units, teams and colleagues
  • Enhanced supplier intelligence
  • Creates a 'fair & level' playing field for SMEs
  • Improved Governance, transparency & auditability
  • Oversight & control over projects & procurement activities
  • Reduces duplication & paperwork
  • Removes barriers for SMEs wishing to engage with Public Sector
  • Boosting local spend with local suppliers, driving economic benefits
  • Streamlines internal & external processes


£9500 per licence per year

Service documents


G-Cloud 11

Service ID

1 3 1 1 3 8 6 0 7 3 4 1 4 5 7


Firefly Online Limited

Richard Ratcliffe

0800 197 6958

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints N/A
System requirements
  • Internet Connection
  • Website Browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Mon - Fri during Working Hours (09:00 - 17:00) our average response rates are under 2 hours (excluding bank holidays)

Mon - Fri outside of working hours we respond the next working day.

Sat - Sun we respond the next working day
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing We have not yet carried out chat testing with assistive technology users.
We use Zendesk for providing online customer service and Zendesk are WCAG 2.1 compliant.
Onsite support Yes, at extra cost
Support levels Firefly-Online has a support help-desk service (Zendesk) that provides support for all user groups. We provide all of our clients with a Service Level Agreement which details the multiple support routes we offer, the response and resolution times.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We initially provide onsite training followed by online training sessions, which is sufficient in most cases. If users require additional training we can provide onsite or online training.
We also have a full set of video user guides to help users with any queries, and knowledge based articles & online help for further information.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Users can contact us and we will ensure that all of our clients data is extracted in a suitable format if required.
End-of-contract process Following a 28 day termination notice, we will terminate any licences associated with the organisation and terminate all user access within the organisation. We will not terminate 3rd party access from those suppliers engaged by our client as they may also be engaged with other clients.
At the end of a contract we will provide a complete data extraction of all data which is owned by our clients. If a data extraction is required in a non standard format or via an API there will be an additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The design is responsive so the application resizes to optimise the user experience and functionality dependent on the device being used.
Service interface No
Customisation available Yes
Description of customisation The following areas of our system can be customised:
Frameworks, Supplier Assessment Templates, Project KPIs, Performance Templates & Branding - customised in our database by Firefly-Online.
Supplier Labels, Users & Roles - customised via our front end solution by clients.


Independence of resources At our monthly ISMS Committee we focus on confidentiality, availability and integrity. One aspect of our focus on availability is to review resource planning requirements based on current and historic usage, and pipeline management. Our cloud provider offers auto scaling which enables our platform to automatically adjust resources based on demand. Also, we regularly garner customer feedback on platform performance to ensure our service meets our customers expectations.


Service usage metrics Yes
Metrics types Analytics & Metrics are delivered through the clients internal dashboards.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Clients can contact our support team via e-mail who will ensure all of their data is exported within 28 days.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We provide our clients with our standard SLA which targets us at 99.9% service availability.
Credit notes are issued if our service levels fail to meet our SLA. We can also offer bespoke SLAs on a client by client basis if required.
Approach to resilience Our software is hosted in the Microsoft Azure Cloud which generates 6 back ups of data across two separate data centers, and Microsoft guarantee 99.9% availability. Azure Site Recovery is very powerful and allows for instant recovery.
Outage reporting Our service desk management team will have designated contact details for customers under contract. We will provide timely updates to all customers and we provide detailed information on the current status on updates and outages. Customers are also able to track issues via our helpdesk.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Role based security per user account. Management and Support personnel have no access to clients individual accounts.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 02/07/2018
What the ISO/IEC 27001 doesn’t cover 3rd Party Information Security Management
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have our own Information Security Management System (ISMS) which we use for all Information Security Policies and Process to ensure we maintain and improve Security Levels. This system is also used to ensure we meet and exceed all ISO 27001 expectations. There are a wide range of policies and processes included in here. Some of which are Mandatory in order to maintain our ISO 27001 Accreditation and others which are introduced by us as a business to increase security policies and practice.
Microsoft Azure also have a Security Management Program which enables Microsoft to Track, Monitor, Maintain, Evaluate and Improve Information Security from their part as a third party supplier of Firefly-Online.
Mircosofts ISMS Informaiton can be found here and Firefly-Online can provide complete details upon request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Upon receiving a request, we put together a business case and conduct a data protection impact assessment. This is then reviewed by the senior management team who will either authorise, reject or require additional clarification. Upon authorisation, the system architect will provide a detailed plan and review the impact assessments. This will then be passed to the project team for implementation. Once changes are made, detailed testing will be conducted before release to our live environments.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We utilise Microsofts Azure patch management process to update our platform and software. Within 12 hours of release of Common Vulnerability Exploits, updates are deployed across the estate. We also regularly monitor news feeds for exploits that impact our environment and deploy defensive strategies to mitigate impact of vulnerabilities until patch is publicly available and deployed.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We utilise Microsofts Security Centre to monitor activity within our network and deploy additional monitoring within the application. Alerts are sent to our Development Director who is responsible for incident management. When a compromise is identified our incident management plan is put into force to mitigate/resolve any issues discovered. We will review all alerts within 60 minutes of notification.
Incident management type Supplier-defined controls
Incident management approach We have developed a playbook for common events and actions required for each event. Events can be reported via automated monitoring systems, staff identification and external customers. Once an event is reported our Development Director is responsible for triage root cause analysis and returning service to normal conditions. All incidents are reviewed by the senior management team within the monthly ISMS meetings or before if required.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £9500 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑