Panacea Applications Limited

Panacea e-Procurement

Comprehensive e-procurement system for all your contracts for goods / services (framework, DPS, RFQ, e-catalogue, etc). From tender through to evaluation, award, call off and order acceptance. Real-time reporting, contract management, audit trail. Intuitive system used by public sector to cut costs, deliver improved services and comply with procurement law.


  • End-to-end procurement system for any number and type of contract
  • Standard questionnaire, contract-specific questionnaires or PQQ compliant workflow and scoring
  • Evaluation, automated and qualitative scoring, qualification by lot or category
  • e-Catalogue, client portal: simple, secure access to services and supplies
  • Collaboration: simple shared workflow for colleagues, clients and suppliers
  • Estimating and purchasing: instant competitive quotes, mini-tenders, budgeting, client estimate
  • Compliant processes (EU Procurement Law, GDPR) including supplier-selection, call-off, ordering
  • Contract management, performance management, supply-chain management, real-time reporting
  • Option to include delivery confirmation, goods receipt notification, e-invoice
  • Option to integrate with finance systems, invoicing, charging, payments


  • Comprehensive, end-to-end paperless system for your contract management
  • Intuitive, transparent, compliant workflow. Clear audit-trail, real-time reporting.
  • Improve service reputation with simple, tailored processes and interfaces
  • Save time for buyers and suppliers with automated workflow
  • Panacea Software users report 80% reduction in administration time
  • Make cashable cost savings with highly competitive automated supplier estimating
  • Increase productivity, supported self-service, efficient procurement and resource management
  • Track use of service and monitor performance against KPIs
  • Compliant evaluation, automated scoring, weighting options, category management
  • Support remote working with 24 hour access for all users


£6490 per licence per year

Service documents


G-Cloud 11

Service ID

4 2 1 4 8 9 0 5 2 2 0 7 3 9 2


Panacea Applications Limited

Rachel Wynne


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints There are no constraints. The buyer needs no specific hardware configuration required, no software installation. Panacea Software is available online using any browser. Essential maintenance work and software up-grades are performed outside office hours .
System requirements
  • Internet access
  • Internet browser e.g. Internet Explorer 9+, Edge, Chrome, Firefox, Safari

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our helpdesk is manned by competent staff from 9am - 5.30pm every business day. We respond to all support requests, by email, ticket, webchat or telephone, within three Working Hours, and in most cases our response is immediate. Online support (user manuals, videos, frequently asked questions, etc.) is available to all Panacea Software users 24 hours a day including weekends and bank holidays. User testimonial: "The support from Panacea is invaluable - there are very few suppliers who provide this level of support so efficiently and consistently.” A. Desai, Buckinghamshire County Council
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible We use Freshchat to manage web chat with our users. Freshchat does not use WCAG 2 guidelines, as they are not a governmental body. However, they confirm that they always act in accordance with the relevant UK and EU legislation and comply with policies. They may be adding accessibility standards in the future.
Web chat accessibility testing Web chat has been tested during implementation, and is regularly tested on an ongoing basis.
Onsite support Onsite support
Support levels Support is provided to all Users:

a. Panacea will provide support online documentation and videos to all Users via the support icon displayed on every screen of the Web Application.

b. Panacea’s support desk will be manned by competent staff providing Users with technical support and advice on the use of Panacea Software by email or telephone, in clear written or spoken English.

c. Onsite training and support can be provided by agreement if required
d. Named technical account managers are nominated to each subscriber and are available by email, telephone and onsite by arrangement as required.

"The support from the Panacea team itself is invaluable - there are very few suppliers who provide this level of support so efficiently and consistently." Anushka Desai, Buckinghamshire County Council
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We work closely with the Subscriber to set up and configure the software as required to ensure the software can be implemented with minimum effort creating a simple, intuitive workflow for all users. We provide on-site training as standard when the software is launched, and provide online training to all users as required. Implementation for public sector subscribers takes 4-8 weeks and we offer support to all parties to ensure this process is efficient and effective and achieves the desired outcomes. "Working with the skilled and professional team at Panacea has been a great experience. With their support the system was implemented smoothly and we were quickly up and running" Karen Johnston, Bolton Council.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
  • MS Word
  • MS Excel
End-of-contract data extraction Upon the termination of the contract, we allow the Customer access to the Panacea Software for a period of 10 Business Days for the sole purpose of the retrieval of Customer Data.
End-of-contract process On termination of the contract, Panacea allows the Customer access to the Panacea Software for a period of 10 Business Days for the sole purpose of the retrieval of Customer Data and the following apply:
(b) all licences and rights granted to the Customer immediately cease;
(c) the Customer ceases all activities (apart from data retrieval) authorised by the agreement;
(d) each party shall return and make no further use of any software, equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
(d) Panacea will destroy or otherwise dispose of any of the Customer Data in its possession, subject to the 10 business days allowed for data retrieval.
(e) The Customer shall pay all reasonable expenses incurred by Panacea in returning or disposing of Customer Data; and the Customer shall immediately pay to Panacea any sums due to Panacea under the contract; and
(e) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Collapsible menu responsive to lower resolution screen size, for user-friendly view on smaller screen.
Service interface Yes
Description of service interface Our service interface is interactive, configurable and granular so as to provide intuitive and user-friendly tools and data access according to User Role. This enables truly efficient and collaborative working. For example Administrator Users can customise the interface for their clients and colleagues according to each organisation or team's requirements. Suppliers access the tools they need to fulfil their side of the work, and Key Users can monitor the activity of their clients, colleagues and suppliers and manage and report on all activity. The interface to Panacea Software is available online using any browser.
Accessibility standards None or don’t know
Description of accessibility Text throughout is readable by a screen reader, all non-text content includes tool-tips for this purpose. We use Google’s reCAPTCHA with audio option. Text versions are provided for any video-only content. Pages have titles, breadcrumbs, etc. Information, structure, relationships, and UI elements name, role & value available in text, Error validation text and readable by screen-reader. Instructions and content rely only on text, (not icons, colours or shapes). Text contrast ratio at least 4.5:1, everything is resizable and accessible using a keyboard, no keyboard trap. No Flash, no auto-updates, no flashing or moving content, no audio-only content, no time limits.
Accessibility testing Interface testing with:
- Wave web accessibility evaluation tool
- Dragon from Nuance
What users can and can't do using the API Subscribers can use our API to enable simple, secure set-up for internal users from their own intranet. The API includes two interfaces:
1) Test User Exists - a user clicks on a link in the Subscriber's intranet, which sends a request to this API to check if the user already has an account on the Panacea Software system
- If the user has an account they are redirected to login to Panacea Software
- If the user does not have an account, the Create New User API is triggered.
2) Create New User - the Subscriber's intranet application retrieves the user's details from their directory service and sends these details to this API.
- If the user account is created successfully the client is directed to the login URL for Panacea Software and receives an email to generate a password
- If there is a problem, the account will not be created and the user is referred to an appropriate support contact.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Buyers can customise each module of Panacea Software they purchase, as appropriate for example:
- Branding of software: Colours and logo as standard, bespoke landing page option if required
- Client interface and e-catalogue: forms, options, automated quotes, available items, products and services with preset calculators for instant quotes, preferred suppliers for each service if required
- Templates: Schedules, forms, calculators, branded artwork, branded e-mails
- Code format rules: Budget codes, GL Codes, Cost Centre codes, etc.
- Data for import to finance system(s): Batch files formatted for import (manual or automated) for charging, invoice generation, supplier invoice payment, budget management
- Tender documents: Standard Questionnaire, PQQ, Supplier Questionnaires - question content, structure, formats, types, rules, scoring, pass/fail, etc. and tender stages, timing and workflow, supplier qualification
- Tags, categories and search criteria for digital assets


Independence of resources Panacea Software is hosted within a hybrid-cloud comprising Virtual Private Servers and Dedicated servers. Each Subscriber’s service runs under its own instance on IS with their own database and data folder. Future versions of the software may employ secure multi-tenancy architecture. Every element of our network is monitored and logged 24x7, (Cisco, Juniper). Performance issues requiring investigation are escalated to on call engineers who quickly take the necessary steps to minimise any impact on users. Servers are patched weekly. All attempts to access the software are logged. Malicious characters and repeated attempts to login with incorrect passwords are blocked.


Service usage metrics Yes
Metrics types Subscribers can monitor service usage, view login records and user activity metrics including event logs, audit trails, history notes and real-time management information available at the click of a button, including:
• Usage of service
• Analysis of activity, expenditure and income by organisation, department, section, individual, etc.
• Performance reporting on KPIs, supplier selection, feedback, etc.
• Contract management of suppliers, clients, account etc.
• Extensive expenditure and income reporting
• Resource management including time-sheet reporting
• Data export files for interface with other systems
• Customised reports available subject to agreement.
Our service uses TLS Version : v1.2
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach - We comply with the provisions of the Data Protection Act 1998. -
- Access to Panacea Software is restricted via a secure login process for authorised users, with password encryption
- The physical servers are located at Data Centres in the UK with security infrastructure and procedures which are fully compliant with ISO 27001, ISO 22301 and PCI-DSS v3 .
Our servers are held in locked racks which can oly be opened by individuals
- Firewall : The network is protected by two Fortigate IPS (Intrusion Protection Systems) units providing maximum reliability while filtering any malicious traffic
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can generate, download and export their data in a variety of file formats including html, pdf, csv or xls.
Data can be exported in the format required for import into user's finance systems for supplier payment, client invoicing, internal charging, budget management, etc. Subscribers can opt for specified users to have access to generate and download or export this data, or to automatically generate and export this data by automated file transfer (e.g. daily FTP) to a specified destination.
Data export formats
  • CSV
  • Other
Other data export formats
  • Html
  • Xls
  • PDF
Data import formats
  • CSV
  • Other
Other data import formats Xls

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Panacea Software is hosted on dedicated managed servers with 99.9% network uptime SLA.

Our servers are powered by 6 independent 11kv three phase electrical supplies from 3 separate national grid substations. Standby Generation is provided at N+1 redundancy via diesel engine driven generators. On-site fuel is stored to maintain full load operation for all generator sets for continuous running of 24 hours.

Every element of our network is monitored, supported (by Cisco, Juniper and Fortinet) and logged 24x7, should an event occur which requires further investigation an on call engineer is paged and working on the issue within minutes, before any small problem impacts our service.
Our online support is available 24/7 with telephone and email support available from our help desk during working hours, manned by competent staff providing Users with technical support and advice by email or telephone, in clear written or spoken English.

Defect resolution SLA of 5 working hours for a Severity Class 1 issue, 10 working hours for Severity Class 2 and 2 business days for Severity Class 3 issue, as detailed in our Software Maintenance Policy (available online, as well as via a link on the home page of Panacea Software)
Approach to resilience Panacea Software is hosted in the UK on dedicated managed servers in secure purpose-built hosting facility (details available on request), backed-up to a linked location and a data centre in the UK, to allow data to be restored in the event of catastrophic disaster at the primary site.
Servers are housed in locked racks in centres with accredited security infastructure, including:
- Independent client card identification access system
- Single-person point of entry, guarded 24/7 and monitored by integrated digital video camera surveillance
- Proximity card access control system
- Protected perimeter fence, fitted with intruder sensing
- 24/7 CCTV coverage of perimeter, common areas, facilities management suites.
Planned maintenance is performed outside business hours, maintenance procedures minimise disruption from unscheduled issues. Business continuity and disaster recovery procedures in place in the event of a catastrophic situation.
Logs and certificates are retained pertaining to the secure disposal of equipment: Hard drives are securely shredded into 15mm strips to prevent recovery of data.
Backed-up data stored in proprietary format is automatically deleted and over-written after seven days.
Subscribers retain access to retrieve their data for 10 working days after termination of contract; thereafter their data is deleted and destroyed.
Outage reporting Subscribers are informed of any planned server outage (e.g., due to a scheduled upgrade), by email alerts (using an approved CRM software)

Every element of the network is monitored and supported (by Cisco, Juniper and Fortinet) and logged 24x7, should an event occur which requires further investigation an on call engineer is paged and is working on the issue within minutes, preventing or minimising any impact on our subscribers.

We use Uptime Robot to monitor the performance of our service and receive outage information via automated email alerts.

We monitor service performance (including outages) and provide performance reports to subscribers if required.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication Users are granted access to only relevant and authorised sections of the software. This is strictly monitored and reviewed. Additionally, passwords are fully encrypted.
Access restrictions in management interfaces and support channels Only authorised individuals can authenticate to and access management interfaces for Panacea Software or perform actions affecting our service through support channels.
Access to Panacea Software, management interfaces and support channels is strictly restricted to authorised individuals according to clearly defined user roles following secure login process using encrypted passwords.
Every attempt to access the software is logged, repeated attempts with incorrect password are blocked, and users are alerted to any concurrent use of their credentials.
Our operational folders are stored on secure external servers, which can only be accessed via SSL VPN and password, to ensure secure service administration.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS (IMS International)
ISO/IEC 27001 accreditation date 29/11/2017
What the ISO/IEC 27001 doesn’t cover All aspects of our service are covered by ISO 27001 accreditation.The software, management, and service provision is covered by the certificate noted above, and our hosting subcontractor also holds ISO 27001 accreditation covering the hosting and back-up of our software and data. Certificates are available upon request.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification NCC Group
PCI DSS accreditation date 17/05/2016
What the PCI DSS doesn’t cover This certification is held by our hosting sub-contractor and covers the hosting of our servers. It does not cover our software. We do not currently plan to obtain this certification for our software itself, since the software does not currently accept, process, store or transmit credit card information.
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Certification
  • ISO 9001: 2008 (Quality Management)
  • ISO 14001:2008 (Environmental Management)
  • RMADS (Public Sector Compliance)- Sub-contractor
  • BS OHSAS 18001:2007 (Health and Safety)- Sub-contractor
  • ISO 50001:2011 (Energy Management)- Sub-contractor
  • BS 25999-2:2007 (Business Continuity Management) - Sub-contractor

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our integrated management system incorporates clear processes to support our company objectives and ensure compliance with our security policies, including:
• Privacy and security of customer data
• Physical security and asset management
• Server security
• Security screening of personnel
• Security incident management
• Software maintenance
• Password security and user access restrictions
• Development and configuration management
• Quality assurance and software testing
• Disaster recovery
• Business continuity

To ensure our policies are followed:
We train all our personnel fully on our information security policies, processes, roles and responsibilities, as follows:
- Security induction training (in-house)
- Security training up-dates and team training (in-house)
- Security training and cyber-security up-dates (external accredited provider)
Our processes, including risk assessment, operational planning and all security controls are subject to regular and robust review:
a) Fortnightly testing including functionality, regression and security tests
b) Business continuity exercise scenarios
c) Penetration testing
d) Disaster recovery testing
e) Management reporting and review.
Our security policies and standards which affect our subscribers and their data are included in user training and support materials, and are available to all users on our website.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We follow standard development guidelines our management system includes GitHub for source control and Jira for issue tracking to monitor each requirement from specification, development and testing to release.
Specifications for development and configuration are reviewed against feedback, security guidance and business requirements. Organisational and technical interfaces are defined and tracked. Configuration and change requirements are are assessed in terms of scope, adequacy, impact on functionality, scalability, ease of use and potential security.
Our fortnightly release process supports stringent testing protocols. Validation process tests each component is fit for purpose and regression testing ensures security and integrity of existing functionality.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Automated error messages alert us to any attempts to inject malicious code and the software blocks repeated attempts to login with incorrect passwords. Vulnerabilities identified are recorded on our tracking system and resolved and deployed as a matter of priority. As standard upgrades deployed fortnightly. All attempts to access the software are automatically logged including failed logins. Penetration test results confirm our defence against malicious threats including SQL and JS injection attack. Passwords and other sensitive data is encrypted. Windows Servers are patched on a weekly basis and AntiVirus software is automatically updated to identify and deal with any vulnerabilities.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are monitored through:
• Fortigate IPS (Intrusion Protection Systems)
• Every element of network monitored and logged 24/7 (Cisco, Juniper, Fortinet)
• Automated emails alert us to any suspected malicious activity
• Penetration testing by third party accredited provider
• Full-time in-house testing team following strict protocols
Response to potential compromise
- On-call engineer (24/7) resolves any potential compromise to network
- Potential vulnerabilities immediately logged and resolved according to severity, in line with our maintenance policy SLA:
Response time:
Severity class 1: 5 working hours
Severity class 2: 10 working hours
Severity class 3: 2 business days.
Incident management type Supplier-defined controls
Incident management approach Our Incident Management policy is on our website and is covered in our staff and user training and operational manuals:
- Users notify Panacea Support as soon as an incident is suspected or identified, via Phone, Email or WebChat, providing all possible information on details, impact, steps taken
- Our staff and contractors log any incidents, notify Management immediately and thoroughly investigate cause(s), impact on the software and data, immediate action, future mitigation measures and may need to invoke the Continuity of Business plan if required
Incident reports are provided to our subscribers by email and in service review meetings.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £6490 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑