An integrated cloud procurement solution that gives secure access to the central government contracts together with those of other professional buying organisations. Users can catalogue shop, free text order and request for quote (eRFQ). Settlement can be made using p-card, Basware ePayments or using a standard purchase order/invoice process.
- Exchange and manage purchase documents electronically, eliminating paper.
- Search for goods and services across hosted catalogues
- Buy using catalogues, free text orders, or request for quotation
- eInvoices received via the network are fully HMRC VAT compliant
- Access to Crown Commercial Service content
- Access to over 39000 suppliers on the Basware Commerce Network
- Comprehensive support, service management, disaster recovery and supplier adoption
- Punch-out access to the catalogue and eRFQ tools
- Integration with ERP solutions: SAP, Oracle, Unit 4 and others
- Optimal control and efficiency using automated end-to-end electronic paperless process
- Reduction of errors and costly delays within the procurement process
- Total visibility of third party spend
- Catalogues managed by suppliers with complete control for contract managers
- Improved cash flow through electronic invoicing and ePayments
- Simple and intuitive solution reduces implementation costs
- Catalogue, free text, rfq and contract shopping from one solution
- Maximise the investment in your existing ERP/P2P solution
- Free access to the eMarketplace for suppliers
- Reduce maverick spend buying from approved content/suppliers within approved processes.
£4020 per unit
Basware Holdings Limited
0845 603 2885
|Software add-on or extension||Yes|
|What software services is the service an extension to||
Basware Purchase to Pay
Basware Invoice Automation
|Cloud deployment model||Private cloud|
|Service constraints||We operate a rolling maintenance programme, with releases normally scheduled on a bi-weekly basis outside of core hours. The release schedule is designed to protect the live computing environment through the use of formal processes and procedures and to facilitate software and possibly hardware releases into the managed IT environment. The timing and activities of the planned maintenance will be in accordance with the schedule unless otherwise specifically agreed and will be carried out during non-core hours with release notes provided to nominated customer contacts.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within 1 hour during normal business hours Monday to Friday, excluding Bank Holiday and weekends.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
Service Desk provides advice and assistance in connection with:
Operational use and service requests related to the software or service
Suspected incidents and problems.
Support levels include Standard, silver and Gold.
Response and resolution times are dependant upon package and criticality.
Silver and Gold packages attract additional charges.
Available during local business hours and with agreed language. 24/7 as an option.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Basware provides its services in an entirely packaged form that lends itself to easy call off from a framework. This is our normal modus operandi as all of our current client base call of our services from a Government framework agreement and clients can be fully appraised of the services they will receive and at what cost. This includes service levels and all other attendant matters including service levels, term of the arrangement and governing terms and conditions. Training is provided prior to service Go-live along with user documentation.|
|End-of-contract data extraction||As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. This is part of the service provided. If the service is terminated then all business documents and associated metadata held within the Customer's systems can be exported using the application's export functionality by the Customer. Metadata will be in human readable format.|
|End-of-contract process||On completion of the call off, we can simply cease the services and the processes for doing so are clearly articulated within the arrangement. As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. All confidentialities relating to the services are maintained indefinitely as part of the arrangement.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Accessibility standards||WCAG 2.0 A|
|Accessibility testing||Basware has tested our User Interface with external users of Assistive Technology.|
|Independence of resources||
Basware uses databases with sharding to separate customers over multiple database instances. Our platform is bases on parrallel Micro services running over multiple vertual servers in the cloud. We also use queuing and batching for large tasks to reduce load issues.
CPUs, memory and instances are all flexible in the Cloud
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
The service can be scheduled to export data and image files on a regular basis. Documents can be bulk uploaded in XLS, XML and CSV formats. Basware can support virtually any structured data format.
The service will export individual transactions either grouped into a batch or as separate invoice sets (content, image & attachments). The latter is the more common method of transfer.
These can be Zipped and signed as required.
|Data export formats||
|Other data export formats||XML|
|Data import formats||
|Other data import formats||XML|
|Data protection between buyer and supplier networks||
|Other protection between networks||System is subject to independent CHECK compliant testing annually.|
|Data protection within supplier network||
|Other protection within supplier network||System is subject to independent CHECK compliant testing annually.|
Availability and resilience
Basware Offers the following SLAs
SAAS One 99%
SAAS Two 99.5%
SAAS Three 99.5%
|Approach to resilience||Available on request|
|Outage reporting||EMail Alerts|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Basware has documented logical access controls, for requesting and granting access rights to production systems and applications. Access is on a role-based model, approved by management. Access rights are removed from operating systems and applications immediately after termination/transfer of employment and specific notification from HR or supervisors. Access profiles defining roles based on user job functions are documented and used to restrict access. These follow the principle of least privilege. Root, Administrator and other privileged operating system level access to production system is restricted to authorised individuals. Operating system and applications are configured to enforce minimum requirements for password quality/expiration.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||DNV GL Business Assurance Ltd|
|ISO/IEC 27001 accreditation date||16/06/2015|
|What the ISO/IEC 27001 doesn’t cover||The service is fully covered by the certification.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Basware’s UK services are accredited by the Crown Commercial Service as a PSN Assured service for the handling of data classified up to OFFICIAL and for data marked as OFFICIAL SENSITIVE. Basware’s Marketplace holds ISO 27001 certification. A yearly CESG CHECK compliant penetration test is completed which is required to support the PSN Assured accreditation.
All servers hosted within the Basware Commerce Network have a full anti-virus suite installed to detect and prevent the uploading and execution of malicious software. Data held in the system is protected using access control mechanisms that are tested yearly as part of the CHECK compliant penetration test, approved within the Crown Commercial Service issued PSN Assured accreditation. The remote management of the system and therefore access to the data has its own specific RMADS.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||The Basware solution has been built to be managed by our customers and configuration changes would typically be carried out by the customer organisation. Basware's software as a service offering does not work on the approach that our customers are buying services from us for configuration changes. If Basware is required to make changes then a formal and documented change management process must be followed. Configuration changes are documented as change request tickets.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Systems are scanned for vulnerabilities at regular intervals. Customer production systems are scanned weekly. Customer and internal IT production systems are scanned internally with privileged system credentials for:
Hard-to-find vulnerabilities and configuration errors, Installed software patches, and System configuration compliance against applicable benchmark standards.
Risks are recorded in a risk register. The risk assessment includes business impact assessment, threat assessment, and vulnerability assessment. Risk management includes risk mitigation actions, risk avoidance, risk transfer, and risk acceptance in full or in part. Risk mitigation may include preventive, reactive, and corrective actions. Reactive and corrective actions are triggered by risk realisation.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
If production systems and business applications generate security events, for example both successful and failed instances of:
User logon and logoff, changes in privileges, such as user and access management, software changes and removal, system and application configuration changes, and significant system events.
Create, read, update, and delete access on customer data is monitored. Exceptional access (outside of standard data flow) generates security events.
Security events are transferred to a secure monitoring system as soon as events are generated and buffered locally to prevent event loss in case of break in communications with the secure monitoring system.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Production environments are monitored for incidents and failures and incident tickets are opened for anomalies. Monitoring includes internal and external performance. Production environment activity is monitored by reviewing most common system and application log events in weekly meetings. Event logs are collected and stored.
A service level agreement (SLA) for service availability and performance is in place. Performance against the SLA is monitored and measured.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£4020 per unit|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|