Basware Holdings Limited

Basware Purchase to Pay

Purchase to Pay cuts spending costs by capturing requisitions/purchase orders for goods and service and cost savings through efficiencies to invoice processing for PO and non-PO based invoices. Financial control is achieved, applying DOA accurately, with complete auditability and budget visibility for budget holders, with seamless integration with ERP/finance systems.


  • Amazon-like shopping experience for ordering goods and services
  • Ability to raise PO's using PO/invoice approval on mobile devices
  • Straight through processing of invoices where PO has been raised
  • Comprehensive audit reports for full P2P process
  • Processing non-PO invoices, such as utilities and unsupported POs
  • Hosted and punch out catalogues, and free text NCRs
  • Simple receipting and available on mobile device
  • Digitalise any invoice format from suppliers
  • Optimise ERP with supplier, cost centre and GL code information


  • Capture all purchase transactions through Amazon like user experience
  • Free up AP/finance staff through touchless processing of invoices
  • Approval of unsupported invoices and invoicing where no PO required
  • Approval of PO's or invoices on mobile devices
  • Complete visibility of requisitions, PO's, receipts and invoices
  • Efficient invoice processing even where PO has not been raised
  • Resolve invoicing issues effectively through collaboration of Finance and Operations
  • 2 or 3-way matching ensuring invoices are processed efficiently
  • Contract compliance using hosted or punch out catalogues


£2.07 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 0 2 3 6 6 0 5 9 1 0 2 7 6 3


Basware Holdings Limited Mark Fleming
Telephone: 0845 603 2885

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Can be used as a standalone service or extension to a new or existing Basware Marketplace, Basware eInvoice or any other 3rd Party ERP or Finance System. Can be extended with Basware ePayments, Pay or Discount.
Cloud deployment model
Public cloud
Service constraints
Basware uses a continuous development methodology, with an automated delivery pipeline, to continuously release small updates with low associated risk. There are two different update types: monthly updates and maintenance updates. The monthly update is used to deliver the vast majority of new features, enhancements, and bug fixes and are typically applied in maintenance periods, maintenance updates are applied on a on demand basis and users are normally unaware that an update has is being applied. Typically more than two-thirds of updates are carried out without service downtime.
System requirements
  • Accessed via internet or a direct point to point connection
  • Supports current browser versions of the major browsers

User support

Email or online ticketing support
Email or online ticketing
Support response times
"Depending on severity and SLA.

Severity Class Target Response
Time Critical Within 1 working hour
High Within 8 Working Hours
Medium Within 16 Working Hours
Low Within 40 Working Hour

For a committed response and Resolution Time, Basware offers enhanced support SLA's (silver and gold) as described in the related SLAs"
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
We use ServiceNow to provide our online web chat support service. Service Now complies with Web Content Accessibility Guidelines 2.0, Level A and AA. The London Web Content Accessibility Guidelines (WCAG) 2.0 document on the ServiceNow web site ( describes accessibility features and limitations of the platform as of July 2018.
Web chat accessibility testing
ServiceNow test the accessibility of their products using the assistive technologies JAWS, NVDA, and VoiceOver.
Onsite support
Yes, at extra cost
Support levels
Basware Global Support model is aligned with ITIL (IT Infrastructure Library). Support is available during local business hours.24/7 support can be provided as an option. The Service Desk provides advice and assistance about: • Operational use and service requests related to the software or service • Suspected incidents and problems. This is underpinned by Service Level agreements. There are 3 levels of support designed for different types of organisation, with SaaS 2 offered as the service level for G-Cloud customers. Key elements of the service such as service updates, data security, Single Sign On, Maintenance, Business Continuity and Disaster Recovery are commonly covered.
Support available to third parties

Onboarding and offboarding

Getting started
Rapid delivery of value for our customers is a key element of the Basware offering and the on-boarding of both users and suppliers will be key. The implementation of the Basware solution will identify what are the key deliverables for the organisation and then focus the implementation on achieving these aims. Rapid design and build of the solution will then lead on to ensuring users both finance/AP and operational can be onboarded as effortlessly and quickly as possible. Training approaches will be dependent on the needs of each customer, but train the trainer and training documentation are always utilised during the implementation. Supplier on-boarding should not be ignored and the Basware invoice processing solution, when used with Basware eInvoice will allow suppliers many options for submitting invoices to our customers, thus ensuring that suppliers are onboarded quickly and with minimal resources.
Service documentation
Documentation formats
End-of-contract data extraction
As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. This is part of the service provided. If the service is terminated then all business documents and associated metadata held within the Customer's systems can be exported using the application's export functionality by the Customer. Metadata will be in human readable format.
End-of-contract process
On completion of the call off, we can simply cease the services and the processes for doing so are clearly articulated within the arrangement. As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. All confidentialities relating to the services are maintained indefinitely as part of the arrangement.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Application optimised to work with mobile devices using HMTL5. Only for AP Clerks and Buyers a larger screen would be required.
Service interface
Description of service interface
The service interface is accessible either via direct login. The service interface provides access to both the procurement and system administration tools. The system functionality available to each user is determined by their role. The role for each user is determined by the system administrators.
Accessibility standards
WCAG 2.1 A
Accessibility testing
Internal testing using tools to verify the level of compliance with WCAG standards.
What users can and can't do using the API
The library of available API's is documented at:
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
The hosted service works in such a way that it has no capacity issues in respect of the content and transactions managed within the service. The hosted network is running at approximately 20% capacity at peak times, accommodating even the largest spikes in traffic. As network utilisation reaches 30% more network capacity will be added to ensure that customers never experience network degradation, even if one of the providers has an outage. Current bandwidth capacity is 6.3 Gbps. The environment is proactively supported by a 24/7/365 dedicated support team ensuring it is not affected by the demands of other customers.


Service usage metrics
Metrics types
Operational Metrics - AP KPI – Overview dashboard provides information on 4 strategic key performance indicators (KPI):
- E-invoice Rate – indicates the % of all invoices which are electronic
- Spend under control – invoices based on PO or payment plan (Contract) Automatically matched
- Paid on time – % of invoices which are paid on or before the designated due date
- Performance trend - The dashboard also has the trend of each specific strategic KPI as well as the breakdown of each strategic KPI in bar charts
Reporting types
Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
The service can be scheduled to export data and image files on a regular basis. Documents can be bulk uploaded in XLS, XML and CSV formats. Basware can support virtually any structured data format.The service will export individual transactions either grouped into a batch or as separate invoice sets (content, image & attachments). The latter is the more common method of transfer. These can be Zipped and signed as required.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Basware consistently operates the Basware service to meet a target level of 99.9% of time during a combination of core and non-core hours (97.5% during the first month of service or following a major release). Further information included in Service Definition document. This is underpinned by our Service Level Agreements which provide for Uptime performance of 99%/99.5%.
Approach to resilience
Available on request
Outage reporting
Outages would be reported via email alerts. Scheduled Maintenance Windows Scheduled maintenance windows are required to allow for security updates, application upgrades and patching, addition of new hardware, etc. Basware reserves the right to specify the times of scheduled maintenance windows which will be targeted to be outside the hosting location's typical business working hours in order to keep the service interruption time for endusers close to zero. The scheduled maintenance windows may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service. For SaaS Three Customers only the notice period is extended to 10 days. Basware Analytics maintenance may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service. Unscheduled Maintenance Windows: If unscheduled maintenance windows are required then 48 hours notice will be provided. If emergency repairs or updates are required, for example to apply security patches, then if the urgency is low enough 24 hours notice will be provided.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Basware has documented logical access controls, for requesting and granting access rights to production systems and applications. Access is on a role-based model, approved by management. Access rights are removed from operating systems and applications immediately after termination/transfer of employment and specific notification from HR or supervisors. Access profiles defining roles based on user job functions are documented and used to restrict access. These follow the principle of least privilege. Root, Administrator and other privileged operating system level access to production system is restricted to authorised individuals. Operating system and applications are configured to enforce minimum requirements for password quality/expiration.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
ISAE 3402
Information security policies and processes
Basware Information Security Policy describes the practices through which Basware assures its existing and future customers, partners and employees that their information is securely handled, stored and processed. The Information Security Policy target is to comply with the ISO 27001 standards. The minimum target is to comply at all times with the local legal requirements. Within the organisation, the Chief Financial Officer is responsible for the main policies concerning security, for its strategic steering and monitoring, and for the allocation of sufficient resources. In addition, Security Steering Group coordinates the overall security. Security Steering Group is chaired by the CFO.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
The Basware solution has been built to be managed by our customers and configuration changes would typically be carried out by the customer organisation. Basware's software as a service offering does not work on the approach that our customers are buying services from us for configuration changes. If Basware is required to make changes then a formal and documented change management process must be followed. Configuration changes are documented as change request tickets.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Systems are scanned for vulnerabilities at regular intervals. Customer production systems are scanned weekly. Customer and internal IT production systems are scanned internally with privileged system credentials for: hard-to-find vulnerabilities and configuration errors, installed software patches, and system configuration compliance against applicable benchmark standards. Risks are recorded in a risk register. The risk assessment includes business impact assessment, threat assessment, and vulnerability assessment. Risk management includes risk mitigation actions, risk avoidance, risk transfer, and risk acceptance in full or in part. Risk mitigation may include preventive, reactive, and corrective actions. Reactive and corrective actions are triggered by risk realisation.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
If production systems and business applications generate security events, for example both successful and failed instances of user logon and logoff, changes in privileges, such as user and access management, software changes and removal, system and application configuration changes, and significant system events. Create, read, update, and delete access on customer data is monitored. Exceptional access (outside of standard data flow) generates security events. Security events are transferred to a secure monitoring system as soon as events are generated and buffered locally to prevent event loss in case of break in communications with the secure monitoring system.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Production environments are monitored for incidents and failures and incident tickets are opened for anomalies. Monitoring includes internal and external performance. Production environment activity is monitored by reviewing most common system and application log events in weekly meetings. Event logs are collected and stored. A service level agreement (SLA) for service availability and performance is in place. Performance against the SLA is monitored, measured and reported to customers on a monthly basis including statistics on incident management.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£2.07 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.