Xledger UK

Xledger Finance Management Solution

Xledger is a leading software vendor of cloud ERP finance systems. Designed for the Cloud, Xledger is ideal for organisations with complex finance management needs from a wide range of sectors including Charities, Not-for-Profits, Education, Faith, Housing, Residential Care, to the likes of Professional Services and Engineering


  • No upfront capital investments
  • Automation for simplified finance operations
  • Role based KPI dashboards and enhanced reporting functionality
  • Bank integration for reconciliation and payments
  • Purchase to pay (e-procurement)
  • Project Accounting - time & expense management
  • Integrated workflow approval
  • Invoice scanning
  • Device agnostic - any browser
  • Efficient fast deployment


  • Real-time business insight for improved decision-making
  • Simplified finance operations through automation efficency
  • Improved insights and control via real-time reporting
  • Configuration over Customisation for cost savings
  • Self-service through role based dashboards creates empowerment
  • System upgrades and maintenance included in monthly subscription
  • All clients on the latest version and upgrading quarterly
  • No upfront capital investment or IT infrastructure, just browser/Internet
  • Scalablity with full consolidation
  • Purchase to pay cycle automation efficiencies


£5 per user per month

  • Education pricing available

Service documents


G-Cloud 11

Service ID

2 6 8 3 0 0 1 9 8 3 0 1 5 1 5


Xledger UK

Ian Halliwell



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Any other operational system that requires financial data such as CRM, donor management, student records, housing management, etc.
Cloud deployment model Public cloud
Service constraints Planned quarterly System Upgrades scheduled typically on a weekend with minimal downtime (1-2hrs) - full notification in advance.
System requirements
  • Device agnostic - PC, Laptop, Tablet, Mobile Device
  • Network connection - fixed or mobile
  • System access via Browser - all recognised browsers supported

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Category A - Operationally Critical - As quickly as possible
Category B - Time Critical - 2 Hours
Category C - Important - 4 Hours
Category D - Not Time Critical - by the end of the next working day

Xledger provides customer support - Monday to Friday 0900-1700hrs, support is not provided at weekends
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Xledger provides the following Support:
This is an enhanced support service provided at a fixed cost normally for the first 2 months after go-live. This includes 2 days on site, to be agreed with the project manager to provide additional assistance in the first 2 months of live operation to • assist users the first time they use the system • answer ad-hoc questions • provide tips on efficient practice Additional days are available on request.

In life support:
Support is provided at 20% of the client contract monthly subscription invoice value. For ongoing questions about the software, help with resolving specific problems and high level advice on new areas, the customer’s appropriately trained users have two sources of support: • Online help within the Xledger product provides field by field documentation, troubleshooting and FAQs. • The Xledger email Helpdesk facility allows users to log queries and track responses.

Xledger has a dedicated customer support team.

Technical support for the application is included in the monthly fee
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Xledger offers a full setup service, comprising of consultancy, training, project management, data migration and configuration. We follow a standard methodology, based on the principles of Prince2. The service is typically provided as a mixture of onsite and offsite, depending on the preference of the customer. All services are fully documented.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction At the end of the contract users we will provide users with their data in an electronic format, usually CSV with a download of their documents in a PDF format.
Users are able to extract their data manually at any time.
End-of-contract process At the end of the contract additional charges can apply for:
1. Providing an electronic export of the data
2. Providing on-going access to the application for historical reporting
3. Consultancy assistance in transferring data to another application

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Key end user screens are available through a mobile interface, optimized for use on a phone. For example invoice approval, payment approval, bank balances, expenses entry, timesheet entry.
Service interface No
What users can and can't do using the API There are 2 types of API available:
1. XML webservices are used for importing and exporting data in a predefined format. Typically used for transaction processing or transferring high volumes of data
2. GraphQL is a dynamic interface used when a real-time integration is appropriate.

Most registers and transaction types can be accessed through both of the API's. All changes are fully validated. The volume of data that can be transferred in any one time period is limited
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available No


Independence of resources Load balancing is handled by our operations team as part of the ongoing service. Process queues are monitored on a continuous basis, with alerts being issues automatically if there are bottlenecks or other problems. Processes are run asynchronously and across multiple dedicated processing queues.


Service usage metrics Yes
Metrics types All activity is logged. For example the system will track how many transactions are registered, how many invoices generated, how many expenses are submitted, how many workflow tasks are processed etc. These metrics are available via a standard enquiry screen to users with appropriate access rights.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export their data on demand from screen enquiries, directly into Excel. They are also able to export data using a server process, into a CSV file. Programmatically data can be exported using an XML webservice or GraphQL
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • JSON
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We aim to provide a service 24*7, with the exception of scheduled downtime for maintenance and upgrades. Service availability has historically been 99.98%. This level is not guaranteed.
Approach to resilience We use two independent internet connections. Further details are available on request
Outage reporting Outages are notified via our website or via email alerts, depending on the cause.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels All employees and hired external personnel must sign a non-disclosure agreement on employment /commencement of an engagement. The statement includes information on management of sensitive customer data for both management and support. Employees’ access to specific customer information is managed by access rights specified in Active Directory, based on their job role. Access rights are authorised by the CFO and reviewed annually.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV.GL
ISO/IEC 27001 accreditation date 30/04/2015
What the ISO/IEC 27001 doesn’t cover Available on request:

The current scope of certification covers the following:
IT Housing, provision of data centre space. In accordance with the statement of applicability version 2, revision B, Oct 2014.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 14001: 2015 Environmental Management System Standard
  • ISO 9001: 2015 Quality Management Systems
  • OHSAS 18001: 2007 Occupational Health and Safety Management

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our processes are audited and certified annually by Ernst and Young. Further details are available on request

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Changes are reviewed by our technical teams and reviewed on a continuous basis. Each change is assessed based on severity and deployed as a patch or in the next main release.
To ensure network security, firewalls are configured to identify, analyse and log abnormal activity. Reports from the firewalls are sent weekly to the system administrator. The logs are reviewed monthly and documentation of review is stored on the fileserver.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Logs are reviewed weekly.
Security patches and virus software are deployed automatically
If any patches are required for Xledger software they are applied with releases, or sooner if they are critical
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach A. To ensure network security, firewalls are configured to identify, analyse and log abnormal activity. Reports from the firewalls are sent weekly to the system administrator. The logs are reviewed monthly and documentation of review is stored on the fileserver.
B. In order to reduce consequences of a virus or malware, security updates are installed on the servers. WSUS-Windows Server Update Services is are configured to download and notify of such updates. System Administrator is responsible for ensuring that relevant security updates are installed according to the set configurations. Documentation is stored according to procedure.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Customers log incidents via dedicated email addresses. Incidents are logged automatically in our support systen, Zendesk.
All enquiries received are checked by 1st line support that there is sufficient documentation. The case is then categorised as either user support or incident and passed to the appropriate team for resolution.
The customer is informed of the log number of their incident and subsequent changes in status of their incident via email

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5 per user per month
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑