Medical Banks Limited

Soft Recruit (Vendor Management Software)

Soft Recruit vendor management system manages the provision of agency staff for hospitals. The VMS manages the entire agency framework process from the publishing of job requests to frameworks, candidate submission and confirmation, electronic time sheets, invoice validation, direct engagement and real-time reporting.


  • Simple intuitive user interfaces (desktop, tablets)
  • Captures exact staffing requirements and publishes to agency framework
  • Cascades jobs in accordance with your framework agreements
  • Automation of job allocation with framework agency
  • Real-time compliance – Manages agency compliance
  • Performance management – calculates agency fill rates
  • Highly configurable to match the precise needs of the customer
  • Communicates automatically with agency framework
  • Real-time roster reports automatically emailed to ward managers


  • Risk Management - Keeps you compliant to your framework agreement
  • Provides clarity and visibility on agency expenditure
  • Facilitates multiple rate cards and rate caps across multiple professions
  • Agency VAT Recovery - facilitates direct and indirect engagement contracts
  • Vastly reduces administration overhead
  • Real-time access to customisable management information reports
  • Provides agencies with direct online access to vacant shifts


£25000 per licence per year

  • Free trial available

Service documents


G-Cloud 11

Service ID

2 3 0 5 6 2 1 1 7 8 8 2 9 0 0


Medical Banks Limited

Rod McGovern


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • Internet Access
  • PDF reader
  • Excel for M.I. reports

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 24 Hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Our web chat is accessible from the user online portal and will connect you to our support centre during operating hours or you can leave a message during out of hours.
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels Level 0 is provided by the system i.e. automated system support. This is included in the subscription cost

Level 1 support is provided by trained client administrators. This is also the escalation point for higher levels of support provided by MediBanks technicians.

Level 2 and 3 (and, where relevant Level 4 support) is provided by MediBanks. Access to these support levels is via formal escalation from level 1 support. This is included in the subscription cost.

Onsite training can be provided in accordance to our rate card.

MediBanks provides technical account manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started During implementation the implementation team will define and implement an agreed training schedule. This training is required for administrative staff only.

From an end user perspective, this system is highly intuitive and therefore guidance is provided via user help guides such as FAQ's and video tutorials embedded throughout the system.
Service documentation No
End-of-contract data extraction Upon termination of a contract all client related data can be provided in CSV format.
End-of-contract process At the end of the contract, data extraction to CSV is provided at no extra cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile Site
If accessed via a web browser on a mobile device the users will have full functionality.
Service interface Yes
Description of service interface Our service interface provides users with access to a full control to manage their account.
Accessibility standards None or don’t know
Description of accessibility Our service interface is accessible via a login portal we provide to active clients.
Accessibility testing None
What users can and can't do using the API An API is available for the framework agencies to receive, confirm and cancel bookings.
API documentation No
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Clients can configure the system to meet their custom requirements/workflows within the constraints of the overall system. Configuration options are available through the client administrator portal. Client users with appropriate administrative access can edit configuration options.


Independence of resources MediBanks is hosted by Sungard Availability Services. Sungard AS are a recognised market leader in global cloud hosting services. Our SLA with Sungard includes:

1. Redundancy - a minimum level of redundancy on our servers to allow for peaks in service or system failure.

2. 99.8% up time/availability

3. Access to sufficient servers to allow us to maintain our redundancy and uptime standards as we increase the number or service clients.


Service usage metrics Yes
Metrics types Yes we do provide service usage metrics.

User reports detail the number of active users, user logins, browsers employed and so forth.

Booking and placement reports detail the number of jobs placed on the system and their associated fill rates.

Financial reports detail the amount of money processed via MediBanks also detailing accruals, savings achieved and future liabilities.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data via the reports tab of their online portal. These reports can be customised to the users preferences via a data picker and are exported in a standard excel format.
Data export formats
  • CSV
  • Other
Other data export formats Excel
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The hosting platform is based in Sungard Availability Services. This provides high availability failover and failback options that keep critical applications up and running.

The infrastructure is based on dedicated high availability devices providing packet filtering and load balancing service.

Uptime is over 99.8% and in the unlikely event of failure refunds for downtime are provided on a pro-rata basis of the licence fee.
Approach to resilience The hosting platform is based in Sungard Availability Services. Full details are available on request.
Outage reporting In the event of an outage we depend on email to notify user of system outages and service updates.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Management interfaces and support channels are restricted by IP address. This is addition to the normal user login processes and user profile permissions.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We are in the process of obtaining ISO/IEC 27001 accreditation. We currently hold ISO 9001:2008 accreditation.
Information security policies and processes We currently hold ISO 9001:2008 accreditation. This certification is audited annually.

Our staff are well versed in these policies with regular training provided for the same.

Managers are responsible for the day to day adherence of our security policies. Any breaches of policy must be reported to the IT Director.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have an active Product Development Roadmap. Changes to the system are subject to our Change Control Process (CCP).

Enhancements to the system arise from one of three main sources:

• Anticipated Needs
• Client Issues
• Client Opportunities

Enhancements are assessed against:
• Benefit
• Client impact
• Development Cost
• Development duration
• Regression impact
• Risk Assessment (including risks associated with the regression impact)

Approved enhancements are integrated into the development roadmap.

Enhancements are developed in accordance with our overall development model: (1. Discovery, 2. Develop, 3. Test (including regression testing), 4. Deploy and 5. support handover).
Vulnerability management type Supplier-defined controls
Vulnerability management approach We have a threat manager service on our hosted platform which monitors, analyzes and logs security events based on non-SSL traffic to customer identified nodes in real time using hardened security appliances.

This service is comprised of

i) a hardened sensor appliance;

ii) logical and dynamic system analysis;

iii) sensor tuning and optimization;

iv) on-going threat and vulnerability signature updates;

v) intrusion detection services;

vi) asset identification and criticality ranking;

vii) vulnerability assessments and reporting;

vii)web portal;

ix) customer selected notification of detected threats via e-mail or page;

x) Service-software patches, upgrades and updates;

Patches are deployed immediately/ASAP
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are monitored via our threat monitor service. Also internally we have monitors for network traffic to identify potential DOS attacks, server and db usage information, fileserver throughput - often times significant traffic from a particular source is indicative of an attack.

Potential compromises are always examined immediately upon discovery. Responses start by analysing server logs, to running different commands on the server to identify any bottlenecks caused.

Response time is immediate, with focus on returning the service as soon as practicable, resolution time often is determined by the seriousness of the compromise.
Incident management type Supplier-defined controls
Incident management approach The company maintains an incident register where all incidents are logged and managed.

All incidents are reported by users or staff are recorded on the incident register where the severity of the incident is asssessed and appropriate action is taken by the manager responsible.

Incident reports are available electronically are the register is electronic and incident reports with their resolution are issued to the user in question if applicable.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25000 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Included:
The licence fee is waived for the first 3 months of signed contracts.

Not included:
Implementation and setup fee

Service documents

Return to top ↑