EUS Holdings Limited

Contract Management

Provides management of contracts including sharing contract documentation with suppliers, finalising contract, alerts, management of Contract Register, performance management and suppliers to update KPI’s, searching and filtering contracts, stakeholder surveys and contract change management. e-Contract Management integrates with DPS, eTendering, eVendor, e-Evaluation with automatic passing of data and single login.

Features

  • Contract Register, Contract Alerts, Approval Workflows, Category management
  • Create bespoke additional fields to capture additional internal specific requirements
  • Export all data to various formats including any bespoke fields
  • Workflow to finalise and agree contracts
  • Document management including version control
  • Run Mini-Competitions directly from a framework contract
  • Manage alerts and Contract Renewal / Expiry warning
  • Audit and event logs for Contract Users and Suppliers
  • Collaboration with Suppliers, Stakeholder feedback, Supplier KPI management
  • Integrates with e-Tendering, DPS, Quick Quotes/RFQ, e-Evaluation, e-Vendor Management

Benefits

  • Centralised location for entire Contract Register
  • Simple view of upcoming contracts due for renewal
  • Notification alerts give preparation time for re-tender process
  • Supplier self-management of annually renewed documents
  • Significant time reductions and efficiency savings
  • Links directly with the eTendering module transferring all data
  • Ability to upload historical contracts using excel upload
  • Suppliers can access signed contracts

Pricing

£2,500 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

2 4 5 1 3 5 3 0 8 9 2 4 5 0 8

Contact

EUS Holdings Limited Sid Bains
Telephone: 07789 260 680
Email: sid.bains@eu-supply.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
1. Multiple files and folders can be uploaded as tender documents, however, each file should not be more than 2.14GB. 2. Maximum data space for the Authority is 10GB allowed in the basic price but additional space can be purchased if required.
System requirements
  • Internet access
  • Any commonly used browser, including up to 3 previous versions

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email or ticketing support queries get an immediate ticket number and Severity Level 1 issues are normally responded to within the same business day. Please see enclosed SLA in our Service definition document.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support for both buyer and supplier users is included at no extra cost. A technical account manager is assigned for each client. Helpdesk is accessible via e-mail and phone.
Minimum guaranteed SLA is 99.5% during Working Hours and actual current performance is 99.8%
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Authority makes a request to join the system via contacting EU Supply (phone or via email) and completes a simple initialisation form with the Authority details and buyer details.
Upon receipt of a Purchase Order, the Authority is set up in the system both on the live production site and a demo/training site. Standard procurement templates are loaded for the Authority.
The secure log in is sent to the Administrator of the Authority. The Administrator of the Authority can access guidance and training material and create additional users as per the Purchase Order.
Authority can go live and start publishing tenders within one day of receipt of online form and the PO.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The archive module will allow the Authority to download all tender response data, including communication messages and audit trail as reports. In addition, we can create an encrypted 'zip' file for the Authority to download.
End-of-contract process
Authority has to give written notice of termination and then the archive facility will be swithced on to allow the Authority to download the tender data. There is no additional cost for this.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Mobile device requires a browser and internet access. For security reasons there is no APP to be downloaded. There is no difference between the mobile and desktop service apart from the screen being smaller on a mobile device. Some page layouts may not be optimal for small screen mobile devices. File upload may be a limitation on mobile devices.
Service interface
Yes
Description of service interface
There are multiple service interfaces to different system e.g. RSS Feed, archiving systems, publishing systems (TED and Contract Finder), E-Signature providers and National Notification Platforms such as Doffin (Norway).
Accessibility standards
None or don’t know
Description of accessibility
Testing has been performed on the Doffin National Notification Portal for Norway. All system public pages have been tested. A formal accessibility statement is published on our platform in compliance with Accessibility Regulations 2020 which is a legal requirement by September 2020. EU-Supply is fully committed in making all public pages of the platform website fully accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2020.
Accessibility testing
Testing has been performed on the Doffin National Notification Portal for Norway.
API
Yes
What users can and can't do using the API
The system allows the export of data using interfaces such as RSS Feed and Data Download Service API. The user can build their own reports and interrogations using this API.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Procurement Templates can be configured via the Administrator interface; Secure workspaces can be set up; OJEU templates and invitation letters can be configured; Online questionnaire template libraries can be set up; Document Libraries can be set up; Additional users can be set up and access rights (read only, editor etc.) can be set up by the Authority (subject to the Purchase Order licence requirements); A branded page can be set up; Url of the site will be in the format https://AuthorityName.eu-supply.com;

Scaling

Independence of resources
The current loading of the platform is closely monitored and is kept below 30% of the capacity to cater for rapid increase of service load. Additional servers can be added easily to increase the capacity if required. Application infrastructure supports web servers to be fully scalable. Additional web servers can be added on-demand.

Analytics

Service usage metrics
Yes
Metrics types
Depending on SLA, service usage metrics can be made available under monthly, quarterly, half-yearly, annual basis.
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
A number of reports are available for the user to export their data, including tender responses, supplier communication messages, audit trails and evaluation reports. In addition, there are configurable reports the user can use as well as the Archive facility to export all tender responses.
Data export formats
  • CSV
  • Other
Other data export formats
  • Xls
  • Pdf
  • CSV
  • Doc
  • Xml
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Xls
  • Txt
  • Docx

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Minimum SLA is 99.5% during Working Hours, but target and currently achieving 99.8% over the last few years.
Approach to resilience
High Availability(HA) infrastructure designed to host CTM application with redundancy of resources at all levels.
• HA pair of Front firewalls for service boundary protection to accept the incoming HTTPS connections.
• A second tier of HA pair of firewalls exists between the web servers and the backend databases.
• Web servers are clustered to provide redundancy and scalability.
• Database mirroring technology is used to maintain Primary-Secondary database instances as hot standby server with automatic rapid failover support
• All file storages are replicated to a secondary location
• Backups are taken into disaster recovery location using secured connection through IPSec tunnel
Outage reporting
Public dashboard and email alerts

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces are protected by Secure VPN access and 2-factor authentication.
Role-based access controls for information systems are established to incorporate only “need to provide” legitimate limited access to meet business needs.
Access to the resources on the EU-Supply network, computing, information systems and peripherals is strictly controlled to prevent unauthorised access.
administration access within the EU-Supply infrastructure is restricted to those persons who are qualified and authorised to perform systems administration / management functions. Even then, such access are performed under dual control requiring the specific and documented approval of Change Requests.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Carlstedt Inc
ISO/IEC 27001 accreditation date
10/09/2019
What the ISO/IEC 27001 doesn’t cover
EU SUPPLY LTD GROUP

INCLUDING

EUS HOLDINGS LTD & EU-SUPPLY HOLDING AB

Carlstedt Inc, a licensed partner of PECB Nordics, herby affirms that the above organisation operates an
INFORMATION SECURITY MANAGEMENT SYSTEM
that conforms to the requirements of ISOIEC 27001/2013.

The scope and boundaries of the ISMS which meets the criteria of the ISO/IEC 27001:2013 specification of a ISMS covers the management of Information Security aspects in the following areas: All Business Processes, including the following in-scope location(-s): All Locations of above organisations.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • ISO 9001:2015
  • ISO 20000-1:2011
  • ISO 14001:2015

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Confidentiality of information is guaranteed as part of our integrated information management system. This has been implemented and refined since 2009 to safe guard EU-Supply IPRs, security of its information and services, quality of its services and projects, and this integrated management system has been certified ISO 27001:2013, ISO 9001:2015, ISO 20000-1:2011 and ISO 14001:2015 for all business processes across the group, with certifications all performed by PECB accredited certification body. All access to the system delivered as Software as a Service is via secure user authentication. Only users with access to documents and workspaces can view, edit or download information and manage workflow. There is logical separation between workspaces and user profiles.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration and change management process described in EU-Supply’s Information Security Management System(ISMS) which is ISO/IEC 27001 certified:
• All changes in are subject to Change control process and are to be tested prior to deployment
• All changes need to be analysed for risk of applying/not-applying change
• All changes needs a formal Change request form to be filled in by the requestor which includes time-plan, detailed steps, responsible, rollback plan etc for any change and sent to ISF (Information security forum) for approval
• Upon approval of ISF, changes are applied
• ISF maintains changes in the Change Record
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
It is the policy of EU-Supply to ensure that vendor supplied security patches of Software/OS/3rd party components in use are applied in a timely manner.
Patches are subject to Change Control Process and are to be tested before deployment.
Patches are obtained from the relevant support provider.
Identified critical security patches are installed as soon as practicable.
A variety of sources of critical patch information are to be used. Examples include Vendor websites, vulnerability websites, vulnerability scans carried out by the systems security team and directly from the Support provider support team.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A number of monitoring control features are in use, including "internal" (through System Center Operations Administrator SCOM) as well as "external", such as Site scanner service to monitor external access of websites.
There are other logging features also enabled such as IIS logs, firewall logs, URL traces, error logs etc. EU-Supply operations team monitors such alerts and logs proactively to identify potential problems and find remedy.
If a potential compromise is discovered then it is dealt according to severity classification as laid in Incidence response procedure in Eu-Supply Information Security Management System(ISMS) which is ISO/IEC 27001 certified.
Incident management type
Supplier-defined controls
Incident management approach
EU-Supply process is detailed in Incident Response Plan according Information Security Management System(ISMS) which is ISO/IEC 27001 certified. Aspects:
• Incident management roles and responsibilities.
• Communications strategies and mechanisms for escalation, including contact details.
• The conditions under which third parties are contacted.
• How incidents are to be categorised and prioritised.
• Reporting requirements.
• Process flow from incident notification to final closure.
• How to respond to different incident types.
• Strategy for business continuity post compromise.
• Analysis of legal requirements for reporting compromises & Procedure for personal data protection breach and registration of breach (GDPR)

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£2,500 a unit a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Free version available for 3 months with full functionality. Setup and implementation costs are chargeable.

Service documents