SupplyNow for Temporary Education Staffing

SupplyNow is the EdTech company connecting schools directly to fully vetted teachers, with an intelligent algorithm that finds the best candidates.

We enable schools, MATs, colleges, LAs and other bodies to self-manage their temporary staffing needs without reliance on an agency. Broadcast to a staff pool with real-time acceptance.


  • Cloud service
  • Mobile app
  • Real time push notifications and email alerts
  • Multiple shift advertising and booking
  • Short term, long term and perm bookings
  • APIs for system integration
  • Onboarding for education professional candidate
  • Geo-location and travel directions
  • Supply list management and favourites


  • Fast and convenient - post jobs 24/7/365
  • Full safeguarding checks in line with DfE guidance
  • Quick & easy sign up and safeguarding checks
  • Best value - save up to 20% vs traditional agencies
  • Manage your own supply list and use those staff first
  • No hidden fees or commissions
  • No timesheets, no internal admin
  • Reduce time cost of senior staff managing vacancies


£3.50 to £20.00 per transaction

Service documents


G-Cloud 11

Service ID

2 7 3 1 3 2 5 9 7 0 1 1 4 9 3



Aimi Kearney

020 3137 1246

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements
  • Any modern web browser e.g. Chrome, Edge, Firefox, Safari.
  • IPhone or iPad running iOS 8.0 or later
  • Phone or tablet running Android 4.3 or later

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Same day response to support queries in most cases. All questions will be responded to within 24 working hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 A
Web chat accessibility testing Our web chat system is powered by Zoho SalesIQ platform. Please refer to for the details of the latest WCAG compliance levels.
Onsite support Yes, at extra cost
Support levels Initial onsite user training is included as part of our implementation. There is online training also available.

SupplyNow provides telephone, email and web chat support with an account manager who will assist remotely or onsite as required to resolve your issue.

For technical issues, a dedicated support engineer will be assigned as your single point of contact for each case.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started SupplyNow offer remote and onsite training for all our clients. This usually takes less than 20 minutes and includes end to end training, account setup and posting your first booking. Documentation and an online video are also available.

We invest in User Experience (UX) research to ensure our software is intuitive and in touch with the needs of the user.

Once registered we offer refresher guidance and training on creating individual profiles for each customer school and new user.
Our team of Community Managers (CMs) support client users via face to face meetings during onboarding including review meetings to provide support and guidance and monitor user satisfaction throughout. Monthly MI reports are also automatically issued.

The user can also call or email their CM to place the booking on their behalf if they do not have access. The booking would then be broadcast through the system so has all the benefits of the portal.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We comply with GDPR Subject Access Requests and commit to providing this data in a machine readable format within legal time limits as specified by the ICO.
End-of-contract process Access to bookings will cease upon contract expiry. Read-only visibility until last ongoing booking has completed.

Data extracted in a machine readable format in line with GDPR within legal time limits as specified by the ICO.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service We have a dedicated mobile app for education professionals, giving a simplified dashboard of relevant bookings.

The candidate is instantly notified of new bookings matching their skills, and can accept or register their interest directly to the school / MAT / college / LA directly from their phone.

Candidates can also keep their profile and skills data up to date from their phone.
Service interface No
What users can and can't do using the API As a vendor you can use our cloud API to register new mobile users, reset passwords, and manage profile data.

You can create and manage bookings, control notifications and pull key information about bookings and schools.

Every integrated feature of our own mobile app uses the API internally, and as a vendor you can access the same services and data.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Logo and sub-domain, T&Cs, email templates, system settings by highly privileged user roles using on screen tools provided as part of our normal service.

Set custom prices, fees, approval / vetting conditions, automated payroll output schedule.


Independence of resources Separate cloud service nodes and IIS application pools are used to balance demand across logically separate cloud components / services and physically isolated resources. This pattern applies across the app tier, data tier and mobile client channel.


Service usage metrics Yes
Metrics types Customers can report on a variety of metrics including, but not limited to, volume of transactions, time to fill, fill rate, usage by site / user, reason for booking, breakdown of candidate number, type, geolocation data,

For system service metrics: CPU, Disk, HTTP request and response status, Memory, Network I/O.

System uptime and availability, reliability, failures and exceptions, unique sessions and users, request processing performance and page load times, custom application events.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Payroll data export is managed by admin user on screen using inbuilt functionality.

Contract end user data export will be performed by SupplyNow technical staff upon request.
Data export formats
  • CSV
  • Other
Other data export formats XML
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network Other
Other protection within supplier network Microsoft Azure Cloud internally manages this to best in class standards of internal authentication, confidentiality and authorisation. We use strong passwords, credentials and secrets managed centrally in Azure KeyVault.

Availability and resilience

Availability and resilience
Guaranteed availability Our cloud service provider guarantees at least 99.9% network up-time.
Approach to resilience Our Azure based data center maintains high availability, disaster recovery, and backup, Redundancy is in built in at the virtual machine (VM), app service, and data tier levels. We stay compliant with UK / EEA legal and regulatory requirements respective of the location of customer and company-internal data.
Outage reporting Internal dashboards are monitored continuously, backed by email alerts for key events and major uptime / performance / exception warnings.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Other user authentication Username and strong password initially, along with a number additional guards as part of our Defence in Depth strategy. For example, reCAPTCHA v2 automatically activates after 3 failed logon attempts, to mitigate bot access. User accounts are automatically disabled during unusual login activity, to safeguard the user and system, with re-activation only possible by verifying stored known facts via pre-approved communication channels (e.g. a previously verified email address).
Access restrictions in management interfaces and support channels The production environment is isolated by access policy, separate dedicated password sets, TLS certificates, storage and runtime instance across client, api, app and data tiers. Separate, stricter policies are enforced for the Live environment, with access controlled through set secure channels granted to highly privileged users only.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication IP address as an additional layer of defence.

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI for ISO 27001:2013 standard
ISO/IEC 27001 accreditation date 20/06/2017
What the ISO/IEC 27001 doesn’t cover Data in transit between the mobile app and Azure services. Data in transit between the web browser and Azure services. Data at rest in the mobile app.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 20/06/2017
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover Please refer to Microsoft Azure Cloud for further details.
PCI certification No
Other security certifications Yes
Any other security certifications
  • Microsoft Cloud Power BI ISO 27001 Audit Assessment Certificate
  • Microsoft Cloud Power BI ISO 27018 Audit Assessment Certificate
  • Azure ISO 22301 - Business Continuity Management Certificate
  • Azure ISO 27018 - Protecting Personal Data in the Cloud
  • Azure FY17 ISO 27017 Certificate
  • Azure ISO 20000-1 Certificate
  • Azure ISO 27017 Certificate

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Our software assets are protected via Azure's best in class security certification and ongoing IT governance process. Internally we comply with the GDPR and the DPA 2018, with a regular ongoing training strategy and annual auditing to ensure standards are upheld in practise.
Information security policies and processes SupplyNow is an ICO registered Data Controller (reg no ZA241765). SupplyNow adheres to modern standards of infosec best practise throughout the SDLC from inception to delivery and support in production. This includes upfront security reviews at design stage, developer training, code reviews, unit testing, integration testing and security checks during the User Acceptance Testing stage. Dev, Test, Demo and Live environments are isolated by access policy, separate dedicated password sets, TLS certificates, storage and runtime instances across client, api, app and data tiers. Separate policies are enforced for each environment, and these are regularly reviewed by our security officer. Teams are granted access to these environments individually based on job function, with privilege levels granted minimally depending on need. We have a robust JML process to safeguard relevant up to date access to our systems when staff changes occur within the business. This includes check in, periodic review and checkout gates. A register of issues is kept, and accounts are decommissioned when appropriate.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach At SupplyNow we maintain a healthy agile backlog which is regularly groomed, taking input from around the business. Security knowledge, training and review are incorporated into all stages of change including sprint planning, scrum and sprint review. We believe that security is an integral part of the SDLC for all staff, not somebody else's problem. All relevant change requests are personally checked by our security officer before being allowed into production.
Vulnerability management type Supplier-defined controls
Vulnerability management approach SupplyNow practises Defence In Depth, deploying multiple layers of defence to reduce our surface to intrusion, service denial and man-in-the-middle / reply attack. Including TLS 1.2 certificates, strong ciphers, CSRF synch, keychain and robust RBA. We embed security knowledge throughout the whole SDLC process, training in the latest Open Web Application Security Project (OWASP) and other best practises. Potential threats are triaged by authorised support engineers, with high level risks escalated to the security officer. Genuine risks are picked up by security experts for immediate patch where necessary. Being agile, we respond within 48 hours from identification to production patch.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We use Azure Insights Monitoring as a cloud native service, using AI to identify potential risks and instantly alert our security officer to intervene and review. Key custom event monitors are set up to notify us of predictable potential threats. We monitor an access log including anonymous demographics to identify request sources. 24 hour response to any potential threat, personally notifying any affected users face-to-face, by verified phone or email. Candidates are vetted during onboarding, e.g. teachers must disclose their Teacher Reference Number matching government DfE records, photo ID and other vital proofs of identity.
Incident management type Supplier-defined controls
Incident management approach We have a documented process triggered by our proactive detection and monitoring strategy. Genuine incidents are analysed by our security experts. Issue logs are kept in Jira and fed directly into the agile SDLC wherever a software change may be necessary. On top of our internal monitors and alerts, end users may notify us in person, by secure web contact form, phone or email in order to report a potential compromise. Where relevant we inform affected users directly of current status, mitigation and any necessary actions required on the part of the user e.g. updating their personal data.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3.50 to £20.00 per transaction
Discount for educational organisations Yes
Free trial available Yes
Description of free trial When you sign up to the SupplyNow tech platform, you will be entitled to 5 days fee free usage. In addition, if you refer another school: 1x successful referral = £50 classroom equipment. 5x successful referrals = £300 classroom or sports equipment. 10x successful referrals = £500 outdoor learning equipment.
Link to free trial

Service documents

Return to top ↑