SupplyNow is the EdTech company connecting schools directly to fully vetted teachers, with an intelligent algorithm that finds the best candidates.
We enable schools, MATs, colleges, LAs and other bodies to self-manage their temporary staffing needs without reliance on an agency. Broadcast to a staff pool with real-time acceptance.
- Cloud service
- Mobile app
- Real time push notifications and email alerts
- Multiple shift advertising and booking
- Short term, long term and perm bookings
- APIs for system integration
- Onboarding for education professional candidate
- Geo-location and travel directions
- Supply list management and favourites
- Fast and convenient - post jobs 24/7/365
- Full safeguarding checks in line with DfE guidance
- Quick & easy sign up and safeguarding checks
- Best value - save up to 20% vs traditional agencies
- Manage your own supply list and use those staff first
- No hidden fees or commissions
- No timesheets, no internal admin
- Reduce time cost of senior staff managing vacancies
£3.50 to £20.00 per transaction
- Education pricing available
020 3137 1246
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Same day response to support queries in most cases. All questions will be responded to within 24 working hours.|
|User can manage status and priority of support tickets||No|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||WCAG 2.1 A|
|Web chat accessibility testing||Our web chat system is powered by Zoho SalesIQ platform. Please refer to https://www.zoho.com/salesiq/ for the details of the latest WCAG compliance levels.|
|Onsite support||Yes, at extra cost|
Initial onsite user training is included as part of our implementation. There is online training also available.
SupplyNow provides telephone, email and web chat support with an account manager who will assist remotely or onsite as required to resolve your issue.
For technical issues, a dedicated support engineer will be assigned as your single point of contact for each case.
|Support available to third parties||Yes|
Onboarding and offboarding
SupplyNow offer remote and onsite training for all our clients. This usually takes less than 20 minutes and includes end to end training, account setup and posting your first booking. Documentation and an online video are also available.
We invest in User Experience (UX) research to ensure our software is intuitive and in touch with the needs of the user.
Once registered we offer refresher guidance and training on creating individual profiles for each customer school and new user.
Our team of Community Managers (CMs) support client users via face to face meetings during onboarding including review meetings to provide support and guidance and monitor user satisfaction throughout. Monthly MI reports are also automatically issued.
The user can also call or email their CM to place the booking on their behalf if they do not have access. The booking would then be broadcast through the system so has all the benefits of the portal.
|End-of-contract data extraction||We comply with GDPR Subject Access Requests and commit to providing this data in a machine readable format within legal time limits as specified by the ICO.|
Access to bookings will cease upon contract expiry. Read-only visibility until last ongoing booking has completed.
Data extracted in a machine readable format in line with GDPR within legal time limits as specified by the ICO.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
We have a dedicated mobile app for education professionals, giving a simplified dashboard of relevant bookings.
The candidate is instantly notified of new bookings matching their skills, and can accept or register their interest directly to the school / MAT / college / LA directly from their phone.
Candidates can also keep their profile and skills data up to date from their phone.
|What users can and can't do using the API||
As a vendor you can use our cloud API to register new mobile users, reset passwords, and manage profile data.
You can create and manage bookings, control notifications and pull key information about bookings and schools.
Every integrated feature of our own mobile app uses the API internally, and as a vendor you can access the same services and data.
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||
Logo and sub-domain, T&Cs, email templates, system settings by highly privileged user roles using on screen tools provided as part of our normal service.
Set custom prices, fees, approval / vetting conditions, automated payroll output schedule.
|Independence of resources||Separate cloud service nodes and IIS application pools are used to balance demand across logically separate cloud components / services and physically isolated resources. This pattern applies across the app tier, data tier and mobile client channel.|
|Service usage metrics||Yes|
Customers can report on a variety of metrics including, but not limited to, volume of transactions, time to fill, fill rate, usage by site / user, reason for booking, breakdown of candidate number, type, geolocation data,
For system service metrics: CPU, Disk, HTTP request and response status, Memory, Network I/O.
System uptime and availability, reliability, failures and exceptions, unique sessions and users, request processing performance and page load times, custom application events.
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||Encryption of all physical media|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Payroll data export is managed by admin user on screen using inbuilt functionality.
Contract end user data export will be performed by SupplyNow technical staff upon request.
|Data export formats||
|Other data export formats||XML|
|Data import formats||
|Other data import formats||XML|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||Other|
|Other protection within supplier network||Microsoft Azure Cloud internally manages this to best in class standards of internal authentication, confidentiality and authorisation. We use strong passwords, credentials and secrets managed centrally in Azure KeyVault.|
Availability and resilience
|Guaranteed availability||Our cloud service provider guarantees at least 99.9% network up-time.|
|Approach to resilience||Our Azure based data center maintains high availability, disaster recovery, and backup, Redundancy is in built in at the virtual machine (VM), app service, and data tier levels. We stay compliant with UK / EEA legal and regulatory requirements respective of the location of customer and company-internal data.|
|Outage reporting||Internal dashboards are monitored continuously, backed by email alerts for key events and major uptime / performance / exception warnings.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Username and strong password initially, along with a number additional guards as part of our Defence in Depth strategy. For example, reCAPTCHA v2 automatically activates after 3 failed logon attempts, to mitigate bot access. User accounts are automatically disabled during unusual login activity, to safeguard the user and system, with re-activation only possible by verifying stored known facts via pre-approved communication channels (e.g. a previously verified email address).|
|Access restrictions in management interfaces and support channels||The production environment is isolated by access policy, separate dedicated password sets, TLS certificates, storage and runtime instance across client, api, app and data tiers. Separate, stricter policies are enforced for the Live environment, with access controlled through set secure channels granted to highly privileged users only.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||IP address as an additional layer of defence.|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 6 months and 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 6 months and 12 months|
|How long system logs are stored for||Between 6 months and 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI for ISO 27001:2013 standard|
|ISO/IEC 27001 accreditation date||20/06/2017|
|What the ISO/IEC 27001 doesn’t cover||Data in transit between the mobile app and Azure services. Data in transit between the web browser and Azure services. Data at rest in the mobile app.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||20/06/2017|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||Please refer to Microsoft Azure Cloud for further details.|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Our software assets are protected via Azure's best in class security certification and ongoing IT governance process. Internally we comply with the GDPR and the DPA 2018, with a regular ongoing training strategy and annual auditing to ensure standards are upheld in practise.|
|Information security policies and processes||SupplyNow is an ICO registered Data Controller (reg no ZA241765). SupplyNow adheres to modern standards of infosec best practise throughout the SDLC from inception to delivery and support in production. This includes upfront security reviews at design stage, developer training, code reviews, unit testing, integration testing and security checks during the User Acceptance Testing stage. Dev, Test, Demo and Live environments are isolated by access policy, separate dedicated password sets, TLS certificates, storage and runtime instances across client, api, app and data tiers. Separate policies are enforced for each environment, and these are regularly reviewed by our security officer. Teams are granted access to these environments individually based on job function, with privilege levels granted minimally depending on need. We have a robust JML process to safeguard relevant up to date access to our systems when staff changes occur within the business. This includes check in, periodic review and checkout gates. A register of issues is kept, and accounts are decommissioned when appropriate.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||At SupplyNow we maintain a healthy agile backlog which is regularly groomed, taking input from around the business. Security knowledge, training and review are incorporated into all stages of change including sprint planning, scrum and sprint review. We believe that security is an integral part of the SDLC for all staff, not somebody else's problem. All relevant change requests are personally checked by our security officer before being allowed into production.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||SupplyNow practises Defence In Depth, deploying multiple layers of defence to reduce our surface to intrusion, service denial and man-in-the-middle / reply attack. Including TLS 1.2 certificates, strong ciphers, CSRF synch, keychain and robust RBA. We embed security knowledge throughout the whole SDLC process, training in the latest Open Web Application Security Project (OWASP) and other best practises. Potential threats are triaged by authorised support engineers, with high level risks escalated to the security officer. Genuine risks are picked up by security experts for immediate patch where necessary. Being agile, we respond within 48 hours from identification to production patch.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||We use Azure Insights Monitoring as a cloud native service, using AI to identify potential risks and instantly alert our security officer to intervene and review. Key custom event monitors are set up to notify us of predictable potential threats. We monitor an access log including anonymous demographics to identify request sources. 24 hour response to any potential threat, personally notifying any affected users face-to-face, by verified phone or email. Candidates are vetted during onboarding, e.g. teachers must disclose their Teacher Reference Number matching government DfE records, photo ID and other vital proofs of identity.|
|Incident management type||Supplier-defined controls|
|Incident management approach||We have a documented process triggered by our proactive detection and monitoring strategy. Genuine incidents are analysed by our security experts. Issue logs are kept in Jira and fed directly into the agile SDLC wherever a software change may be necessary. On top of our internal monitors and alerts, end users may notify us in person, by secure web contact form, phone or email in order to report a potential compromise. Where relevant we inform affected users directly of current status, mitigation and any necessary actions required on the part of the user e.g. updating their personal data.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£3.50 to £20.00 per transaction|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||When you sign up to the SupplyNow tech platform, you will be entitled to 5 days fee free usage. In addition, if you refer another school: 1x successful referral = £50 classroom equipment. 5x successful referrals = £300 classroom or sports equipment. 10x successful referrals = £500 outdoor learning equipment.|
|Link to free trial||https://www.supplynow.co.uk/refer-school|