EU Supply Limited

Purchase 2 Pay (P2P)

EU Supply P2P handles the entire process. Effective tool for buying products and services, where company policies, approval flows, buying limits are kept in place. Invoices automatically matched and compared to pre-approved orders and processed with automation. Includes full contracts life-cycle management system, automating controlling processes, compliance reporting and more.


  • Easy-to-use search option for effective product search
  • Catalog orders, service procurement, supplier webshop integration (punchout) and more
  • Template based ordering customizes the procurement experience
  • Advanced approval flows easily handled by end-users
  • Intuitive goods receive/product handling process
  • Automatic coding of invoices using advanced machine learning technology
  • 3-way automatic invoice-order matching for process optimization
  • Full contract life-cycle management with milestones and spend management
  • Customizable dashboards for collaboration throughout your entire organization
  • Effective supplier tools for optimizing collaboration across your supply chain


  • State of the art, cloud based P2P platform
  • User-friendly and effective solution across devices
  • One corporate procurement process reducing maverick buying
  • Securing products and prices from preferred suppliers
  • Time and cost saving tool through effective order handling
  • Automated account processing (AP), controlling and compliance
  • Transparency, financial control and spend management
  • Reporting and advanced analytics across big data
  • Full audit history and high security measures
  • Fully integrates with numerous ERP systems


£25,000 a unit a year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 12

Service ID

1 4 0 3 8 5 8 3 6 1 4 7 2 1 5


EU Supply Limited Sid Bains
Telephone: 07789 260 680

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
1. Multiple files and folders can be uploaded as tender documents, however, each file should not be more than 2.14GB. 2. Maximum data space for the Authority is 10GB allowed in the basic price but additional space can be purchased if required.
System requirements
  • Internet access
  • Any commonly used browser, including up to 3 previous versions

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email or ticketing support queries get an immediate ticket number and Severity Level 1 issues are normally responded to within the same business day. Please see enclosed SLA in our Service definition document.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support for both buyer and supplier users is included at no extra cost. A technical account manager is assigned for each client. Helpdesk is accessible via e-mail and phone.
Minimum guaranteed SLA is 99.5% during Working Hours and actual current performance is 99.8%
Support available to third parties

Onboarding and offboarding

Getting started
Authority makes a request to join the system via contacting EU Supply (phone or via email) and completes a simple initialisation form with the Authority details and buyer details.
Upon receipt of a Purchase Order, the Authority is set up in the system both on the live production site and a demo/training site. Standard procurement templates are loaded for the Authority.
The secure log in is sent to the Administrator of the Authority. The Administrator of the Authority can access guidance and training material and create additional users as per the Purchase Order.
Authority can go live and start publishing tenders within one day of receipt of online form and the PO.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The archive module will allow the Authority to download all tender response data, including communication messages and audit trail as reports. In addition, we can create an encrypted 'zip' file for the Authority to download.
End-of-contract process
Authority has to give written notice of termination and then the archive facility will be swithced on to allow the Authority to download the tender data. There is no additional cost for this.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Mobile device requires a browser and internet access. For security reasons there is no APP to be downloaded. There is no difference between the mobile and desktop service apart from the screen being smaller on a mobile device. Some page layouts may not be optimal for small screen mobile devices. File upload may be a limitation on mobile devices.
Service interface
Description of service interface
There are multiple service interfaces to different system e.g. RSS Feed, archiving systems, publishing systems (TED and Contract Finder), E-Signature providers and National Notification Platforms such as Doffin (Norway).
Accessibility standards
None or don’t know
Description of accessibility
Testing has been performed on the Doffin National Notification Portal for Norway.

All system public pages have been tested. A formal accessibility statement is published on our platform in compliance with Accessibility Regulations 2020 which is a legal requirement by September 2020.

EU-Supply is fully committed in making all public pages of the platform website fully accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2020.
Accessibility testing
Testing has been performed on the Doffin National Notification Portal for Norway.
What users can and can't do using the API
The system allows the export of data using interfaces such as RSS Feed and Data Download Service API. The user can build their own reports and interrogations using this API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Procurement Templates can be configured via the Administrator interface; Secure workspaces can be set up; OJEU templates and invitation letters can be configured; Online questionnaire template libraries can be set up; Document Libraries can be set up; Additional users can be set up and access rights (read only, editor etc.) can be set up by the Authority (subject to the Purchase Order licence requirements); A branded page can be set up; Url of the site will be in the format;


Independence of resources
The current loading of the platform is closely monitored and is kept below 30% of the capacity to cater for rapid increase of service load. Additional servers can be added easily to increase the capacity if required. Application infrastructure supports web servers to be fully scalable. Additional web servers can be added on-demand.


Service usage metrics
Metrics types
Depending on SLA, service usage metrics can be made available under monthly, quarterly, half-yearly, annual basis.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
A number of reports are available for the user to export their data, including tender responses, supplier communication messages, audit trails and evaluation reports. In addition, there are configurable reports the user can use as well as the Archive facility to export all tender responses.
Data export formats
  • CSV
  • Other
Other data export formats
  • Xls
  • Pdf
  • CSV
  • Doc
  • Xml
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Xls
  • Txt
  • Docx

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Minimum SLA is 99.5% during Working Hours, but target and currently achieving 99.8% over the last few years.
Approach to resilience
High Availability(HA) infrastructure designed to host CTM application with redundancy of resources at all levels.
• HA pair of Front firewalls for service boundary protection to accept the incoming HTTPS connections.
• A second tier of HA pair of firewalls exists between the web servers and the backend databases.
• Web servers are clustered to provide redundancy and scalability.
• Database mirroring technology is used to maintain Primary-Secondary database instances as hot standby server with automatic rapid failover support
• All file storages are replicated to a secondary location
• Backups are taken into disaster recovery location using secured connection through IPSec tunnel
Outage reporting
Public dashboard and email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces are protected by Secure VPN access and 2-factor authentication.
Role-based access controls for information systems are established to incorporate only “need to provide” legitimate limited access to meet business needs.
Access to the resources on the EU-Supply network, computing, information systems and peripherals is strictly controlled to prevent unauthorised access.
administration access within the EU-Supply infrastructure is restricted to those persons who are qualified and authorised to perform systems administration / management functions. Even then, such access are performed under dual control requiring the specific and documented approval of Change Requests.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Carlstedt Inc
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover



Carlstedt Inc, a licensed partner of PECB Nordics, herby affirms that the above organisation operates an
that conforms to the requirements of ISOIEC 27001/2013.

The scope and boundaries of the ISMS which meets the criteria of the ISO/IEC 27001:2013 specification of a ISMS covers the management of Information Security aspects in the following areas: All Business Processes, including the following in-scope location(-s): All Locations of above organisations.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO 9001:2015
  • ISO 20000-1:2011
  • ISO 14001:2015

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Confidentiality of information is guaranteed as part of our integrated information management system. This has been implemented and refined since 2009 to safe guard EU-Supply IPRs, security of its information and services, quality of its services and projects, and this integrated management system has been certified ISO 27001:2013, ISO 9001:2015, ISO 20000-1:2011 and ISO 14001:2015 for all business processes across the group, with certifications all performed by PECB accredited certification body. All access to the system delivered as Software as a Service is via secure user authentication. Only users with access to documents and workspaces can view, edit or download information and manage workflow. There is logical separation between workspaces and user profiles.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration and change management process described in EU-Supply’s Information Security Management System(ISMS) which is ISO/IEC 27001 certified:
• All changes in are subject to Change control process and are to be tested prior to deployment
• All changes need to be analysed for risk of applying/not-applying change
• All changes needs a formal Change request form to be filled in by the requestor which includes time-plan, detailed steps, responsible, rollback plan etc for any change and sent to ISF (Information security forum) for approval
• Upon approval of ISF, changes are applied
• ISF maintains changes in the Change Record
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
It is the policy of EU-Supply to ensure that vendor supplied security patches of Software/OS/3rd party components in use are applied in a timely manner.
Patches are subject to Change Control Process and are to be tested before deployment.
Patches are obtained from the relevant support provider.
Identified critical security patches are installed as soon as practicable.
A variety of sources of critical patch information are to be used. Examples include Vendor websites, vulnerability websites, vulnerability scans carried out by the systems security team and directly from the Support provider support team.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A number of monitoring control features are in use, including "internal" (through System Center Operations Administrator SCOM) as well as "external", such as Site scanner service to monitor external access of websites.
There are other logging features also enabled such as IIS logs, firewall logs, URL traces, error logs etc. EU-Supply operations team monitors such alerts and logs proactively to identify potential problems and find remedy.
If a potential compromise is discovered then it is dealt according to severity classification as laid in Incidence response procedure in Eu-Supply Information Security Management System(ISMS) which is ISO/IEC 27001 certified.
Incident management type
Supplier-defined controls
Incident management approach
EU-Supply process is detailed in Incident Response Plan according Information Security Management System(ISMS) which is ISO/IEC 27001 certified. Aspects:
• Incident management roles and responsibilities.
• Communications strategies and mechanisms for escalation, including contact details.
• The conditions under which third parties are contacted.
• How incidents are to be categorised and prioritised.
• Reporting requirements.
• Process flow from incident notification to final closure.
• How to respond to different incident types.
• Strategy for business continuity post compromise.
• Analysis of legal requirements for reporting compromises & Procedure for personal data protection breach and registration of breach (GDPR)

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£25,000 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Free version available for 3 months with full functionality. Setup and implementation costs are chargeable.

Service documents