Xledger UK

Xledger Finance Management Solution

Xledger is a leading software vendor of cloud ERP finance systems. Designed for the Cloud, Xledger is ideal for organisations with complex finance management needs from a wide range of sectors including Charities, Not-for-Profits, Education, Faith, Housing, Residential Care, to the likes of Professional Services and Engineering


  • No upfront capital investments
  • Automation for simplified finance operations
  • Role based KPI dashboards and enhanced reporting functionality
  • Bank integration for reconciliation and payments
  • Purchase to pay (e-procurement)
  • Project Accounting - time & expense management
  • Integrated workflow approval
  • Invoice scanning
  • Device agnostic - any browser
  • Efficient fast deployment


  • Real-time business insight for improved decision-making
  • Simplified finance operations through automation efficency
  • Improved insights and control via real-time reporting
  • Configuration over Customisation for cost savings
  • Self-service through role based dashboards creates empowerment
  • System upgrades and maintenance included in monthly subscription
  • All clients on the latest version and upgrading quarterly
  • No upfront capital investment or IT infrastructure, just browser/Internet
  • Scalablity with full consolidation
  • Purchase to pay cycle automation efficiencies


£5 per user per month

  • Education pricing available

Service documents


G-Cloud 11

Service ID

2 6 8 3 0 0 1 9 8 3 0 1 5 1 5


Xledger UK

Ian Halliwell



Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Any other operational system that requires financial data such as CRM, donor management, student records, housing management, etc.
Cloud deployment model
Public cloud
Service constraints
Planned quarterly System Upgrades scheduled typically on a weekend with minimal downtime (1-2hrs) - full notification in advance.
System requirements
  • Device agnostic - PC, Laptop, Tablet, Mobile Device
  • Network connection - fixed or mobile
  • System access via Browser - all recognised browsers supported

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Category A - Operationally Critical - As quickly as possible
Category B - Time Critical - 2 Hours
Category C - Important - 4 Hours
Category D - Not Time Critical - by the end of the next working day

Xledger provides customer support - Monday to Friday 0900-1700hrs, support is not provided at weekends
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Xledger provides the following Support:
This is an enhanced support service provided at a fixed cost normally for the first 2 months after go-live. This includes 2 days on site, to be agreed with the project manager to provide additional assistance in the first 2 months of live operation to • assist users the first time they use the system • answer ad-hoc questions • provide tips on efficient practice Additional days are available on request.

In life support:
Support is provided at 20% of the client contract monthly subscription invoice value. For ongoing questions about the software, help with resolving specific problems and high level advice on new areas, the customer’s appropriately trained users have two sources of support: • Online help within the Xledger product provides field by field documentation, troubleshooting and FAQs. • The Xledger email Helpdesk facility allows users to log queries and track responses.

Xledger has a dedicated customer support team.

Technical support for the application is included in the monthly fee
Support available to third parties

Onboarding and offboarding

Getting started
Xledger offers a full setup service, comprising of consultancy, training, project management, data migration and configuration. We follow a standard methodology, based on the principles of Prince2. The service is typically provided as a mixture of onsite and offsite, depending on the preference of the customer. All services are fully documented.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
At the end of the contract users we will provide users with their data in an electronic format, usually CSV with a download of their documents in a PDF format.
Users are able to extract their data manually at any time.
End-of-contract process
At the end of the contract additional charges can apply for:
1. Providing an electronic export of the data
2. Providing on-going access to the application for historical reporting
3. Consultancy assistance in transferring data to another application

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Key end user screens are available through a mobile interface, optimized for use on a phone. For example invoice approval, payment approval, bank balances, expenses entry, timesheet entry.
Service interface
What users can and can't do using the API
There are 2 types of API available:
1. XML webservices are used for importing and exporting data in a predefined format. Typically used for transaction processing or transferring high volumes of data
2. GraphQL is a dynamic interface used when a real-time integration is appropriate.

Most registers and transaction types can be accessed through both of the API's. All changes are fully validated. The volume of data that can be transferred in any one time period is limited
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
Load balancing is handled by our operations team as part of the ongoing service. Process queues are monitored on a continuous basis, with alerts being issues automatically if there are bottlenecks or other problems. Processes are run asynchronously and across multiple dedicated processing queues.


Service usage metrics
Metrics types
All activity is logged. For example the system will track how many transactions are registered, how many invoices generated, how many expenses are submitted, how many workflow tasks are processed etc. These metrics are available via a standard enquiry screen to users with appropriate access rights.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export their data on demand from screen enquiries, directly into Excel. They are also able to export data using a server process, into a CSV file. Programmatically data can be exported using an XML webservice or GraphQL
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • JSON
  • HTML
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
We aim to provide a service 24*7, with the exception of scheduled downtime for maintenance and upgrades. Service availability has historically been 99.98%. This level is not guaranteed.
Approach to resilience
We use two independent internet connections. Further details are available on request
Outage reporting
Outages are notified via our website or via email alerts, depending on the cause.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
All employees and hired external personnel must sign a non-disclosure agreement on employment /commencement of an engagement. The statement includes information on management of sensitive customer data for both management and support. Employees’ access to specific customer information is managed by access rights specified in Active Directory, based on their job role. Access rights are authorised by the CFO and reviewed annually.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Available on request:

The current scope of certification covers the following:
IT Housing, provision of data centre space. In accordance with the statement of applicability version 2, revision B, Oct 2014.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO 14001: 2015 Environmental Management System Standard
  • ISO 9001: 2015 Quality Management Systems
  • OHSAS 18001: 2007 Occupational Health and Safety Management

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our processes are audited and certified annually by Ernst and Young. Further details are available on request

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Changes are reviewed by our technical teams and reviewed on a continuous basis. Each change is assessed based on severity and deployed as a patch or in the next main release.
To ensure network security, firewalls are configured to identify, analyse and log abnormal activity. Reports from the firewalls are sent weekly to the system administrator. The logs are reviewed monthly and documentation of review is stored on the fileserver.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Logs are reviewed weekly.
Security patches and virus software are deployed automatically
If any patches are required for Xledger software they are applied with releases, or sooner if they are critical
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
A. To ensure network security, firewalls are configured to identify, analyse and log abnormal activity. Reports from the firewalls are sent weekly to the system administrator. The logs are reviewed monthly and documentation of review is stored on the fileserver.
B. In order to reduce consequences of a virus or malware, security updates are installed on the servers. WSUS-Windows Server Update Services is are configured to download and notify of such updates. System Administrator is responsible for ensuring that relevant security updates are installed according to the set configurations. Documentation is stored according to procedure.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Customers log incidents via dedicated email addresses. Incidents are logged automatically in our support systen, Zendesk.
All enquiries received are checked by 1st line support that there is sufficient documentation. The case is then categorised as either user support or incident and passed to the appropriate team for resolution.
The customer is informed of the log number of their incident and subsequent changes in status of their incident via email

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£5 per user per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑