XCD HR and Payroll Solution
XCD is a full suite of cloud solutions, delivered as a single solution from one database to provide full employee lifecycle management. Functionality includes Gross & Net (UK) Payroll, Time Management, Expenses, Learning/Talent, Recruitment, and associated functions (Workflow, Reporting, BI, Automation, Document management, mobile) for HR Professionals, Managers and Employees.
- Single solution HR and Payroll suite
- Built on world class Salesforce Lightning platform
- Full UK net payroll for public sector and mid enterprise
- Full support for single sign on (SSO)
- Accessible through desktop browser or mobile
- ERP integration for Finance, PSA, time clocking, biometrics and more
- Role based access for all employees
- Full suite covering full employee lifecycle (recruit to retire)
- Single solution provides seamless collaboration across all functions
- Data automation has saved customers 1000’s of hours per year
- 5.5 days per month can be saved on reporting
- Global Dashboards allow HR to provide strategic support
- Manage complex and different contract terms and working hours
- No re-keying of data required between HR and Payroll
- Update personal data anywhere, any time using the mobile app
£1.85 to £8.35 per person per month
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
XCD HR Limited
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||XCD HCM Suite is built on the Salesforce platform and is compatible with organisations running Salesforce.com and associated applications, and as a standalone solution leveraging the Salesforce Lightning platform.|
|Cloud deployment model||Public cloud|
Planned maintenance will be in line with the Salesforce maintenance schedule and policy.
Details can be found here: https://help.salesforce.com/articleView?id=000176208&type=1
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Support hours are UK Monday to Friday 09:00 to 17:30
Excludes Public Holidays.
Resolution times as follows:
Emergency: 24 Hours Critical: 48 Hours Normal: 5 Business days - Workaround (if available) or considered for future release.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
XCD provide the following levels of support:
Standard Support - Access to our Support Team for software issues and queries (included in software fee).
Payroll Support - As per Standard but with enhanced access to the Payroll Support team for technical and payroll processing queries (additional cost per annum - dependant on employee numbers and payrolls).
Premium Support - Additional cost which provides Standard Support plus a number of hours of free consultancy for training, report writing or simple system configuration (additional cost per annum - starts at £6,000).
|Support available to third parties||Yes|
Onboarding and offboarding
XCD get users familiar on the system by involving them at an early stage in the project through the Solution Design process. This involves workshops with the customers 'Super Users' to walk through requirements using the XCd application. At the end of this process, a Solution Design document(SDD) is created and signed off by both parties. The SDD is used for XCD testing of the delivered solution as well as during the customer User Acceptance Testing phase.
The approach we use is that of Knowledge Transfer and workshops from the XCD Consultants to the customers Project Team. We expect that the customer's Project Team will become "Super Users" of the system.
It will be the responsibility of the customer Project Team to deliver End User Training to the End Users of the system. However, XCD can deliver End User training if requested.
|End-of-contract data extraction||
When a contract comes to an end we will work with customers to assist them in how to extract any or all of their data from the XCD system.
This will take the form of consultancy to advise customers in what tools are available to export data OR to actually extract the data on behalf of the customer.
This is a chargeable consulting activity which would be scoped and estimated on an individual customer basis and this cost is not included in the ongoing cost of the contract with XCD.
When a customer issues XCD with notice that they wish to terminate the contract, we arrange for a conference call with the customer and appoint an XCD Project Manager to work with the customers Project Manager to facilitate the smooth offboarding process.
The project managers will discuss timelines for items such as "Last Transaction Date" and "Data Export Options". A Project Plan or set of agreed activities will then be created and resources assigned to carry out the activities from both XCD and the customers perspective.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
The mobile experience is tailored specifically to the real-estate of the mobile device.
In addition we have mobile specific tasks and workflows to easily manage tasks including expenses, leave, authorisations and approvals and view payslips.
|Description of service interface||
XCD has multiple methods for integrating to and from the application:
1) CSV/Flat Files - Predominantly used for data import or integrating external systems where real time interfaces are not required.
2) Reporting Outputs - Typically used where users wish to inspect the data prior to import to another system, for example GL reporting to Finance.
3) Pseudo Real Time Rest API - Used for integration where Employee, Work Patterns, Leave and associated holiday data is required.
|Accessibility standards||None or don’t know|
|Description of accessibility||
Access through either:
Native files (for example CSV)
As a report output
Rest API with JSON through a third party integration tool such as Mulesoft
|Accessibility testing||XCD's service interface is data only and used for integration into applications. Therefore we have not tested with assistive technology.|
|What users can and can't do using the API||
The API is delivered as an extension package associated with the XCD core package.
The API is REST utilising JSON to deliver its payload.
The API covers standard functions in the XCD application relating to:
- Overtime payments
- Performance management
Users can call the API to request information from the XCD application, or insert data into the XCD application.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
The XCD Suite of solutions is highly customisable as it is built on the Lightning platform.
System Administrators can customise the solution in the following ways:
Objects and Fields
New Screens (modify existing or build new)
Workflows and Processes Reports
Analytics and BI Process Builders Users
Roles and Access.
|Independence of resources||
The current daily transaction average for Salesforce platform is regularly 6 billion, consistently at sub 250ms response time within the Salesforce environment.
Within each logical system, we use load balancers to distribute load among multiple web and application servers for additional scalability and redundancy. The multi-tenant application design, combined with the fastest servers and high-performance networking infrastructure available, guarantees fast performance.
In addition to scaling for growth, Salesforce continually strives to improve the average response time of our services and, to back up our claims, full details of transaction volumes and response times are publicly reported in real-time at https://status.salesforce.com/.
|Service usage metrics||Yes|
The service includes various metrics to monitor usage and adoption of the service, for example, last login, login duration etc.
For infrastructure detail, metrics are available at https://trust.salesforce.com, which provides performance and availability information for the entire service.
For specific metric monitoring and for more in-depth detail customers can extend capability through the use of Event Monitoring. For example - which applications are being used, by who, how are they being used, when, where from and are there performance issues? This data can be used to improve adoption, security and performance of the application.
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Other data at rest protection approach||
Classic Encryption: native Salesforce application feature which can be used to encrypt specific custom fields. There is no additional cost for this, but it does impact some application functionality.
More information here: http://sfdc.co/FieldEncryption
Platform Encryption: Platform Encryption allows customers to encrypt data stored through Salesforce such as: files and attachments, certain standard and custom fields, and use an advanced key management system. It uses native strong, standards-based encryption.
Controls help to protect data, which include the use of derived data encryption keys and customer-controlled key rotation, generation, and destruction process. Available for an additional cost.
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||XCD has a set of standard templates that the customer exports their data to. This data is then uploaded into the XCD application by the XCD Technical Consultant and tested by both XCD and the customer.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||
By default, customers connect to the service over the public internet with all transmissions between the user and the Salesforce Services secured using TLS 1.1 or higher and encrypted using 256 or 128-bit encryption.
The services use International/Global Step Up SSL certificates with 2048-bit Public Keys. Web Service callouts can be secured using TLS, as well as with two-way TLS.
In addition, customers can partner with a selection of supported ISPs for a more direct connection to the Salesforce service. In the UK, BT are one such ISP. This service is known as Salesforce Express Connect.
|Data protection within supplier network||
|Other protection within supplier network||
Customer data is protected within the Salesforce service through a mature, standards-based defence in-depth security architecture. Logical and physical access is strictly controlled and monitored. The controls used are in scope for the various security certifications the company has, and audited regularly by third parties.
Controls such as firewalls, intrusion detection, anti-malware, file integrity monitoring are augmented with extensive monitoring to provide robust prevention, detection and response. Internal and external, as well as third-party vulnerability scanning and application penetration testing are also in place.
Availability and resilience
The Salesforce Services are designed with the concept of continuous improvement and Trust (e.g. Availability, Performance and Security) in the infrastructure. Salesforce uses commercially reasonable efforts to make its on-demand services available to its customers 24/7, except for (minimal) planned downtime, for which Salesforce gives customers prior notice, and force majeure events.
Excellent availability statistics (historically 99.9%) are critical to Salesforce's customers’ success and to the success of Salesforce as a company. Salesforce generally does not focus on a specific percentage, as we do not believe our job on availability will ever be “complete”.
Live and historical statistics on Salesforce system performance are publicly published at: https://trust.salesforce.com/en/#systemStatus, and further detail can be shared upon request and NDA.
|Approach to resilience||
To maximise availability, the service is delivered using a world-class data centre infrastructure consisting of a primary production data centre, a full capacity secondary data centre for hosting the service provided to customers.
The infrastructure utilises carrier-class components designed to support millions of users. Extensive use of high availability servers and network technologies, and a carrier-neutral network strategy, help to minimise the risk of single points of failure, and provide a highly resilient environment with maximum uptime and performance.
Outage escalation policies are established and maintained as Salesforce's goal is to rapidly restore service. In the event of an extended outage, periodic updates are provided in near real time to customers via the trust.salesforce.com dashboard site and in addition, service notifications are provided to nominated contacts via various channels such as email.
Update frequency for notifications is dependent on the customer support service plan.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Salesforce has a comprehensive set of authentication mechanisms that customers can choose from. These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.|
|Access restrictions in management interfaces and support channels||
Management access for service support and delivery is done through multiple layers of controls including, but not limited to, multiple 2 factor authentication, bastion host and proxy control and segregation of duties. These controls are in scope for SSAE-18 auditing and evidences through the SOC 2/ISAE3402 report.
Access to the management interface for the customer to configure their salesforce environment, is configured by the customer themselves. The options are outlined in the above response. Robust application design and testing ensures that users without administrative access rights cannot access more sensitive areas of the application.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||
Customers can choose from a comprehensive set of authentication mechanisms.
These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||XCD have a formal approach to Security Governance which has been enhanced under our review of processes following the introduction of GDPR. This includes physical access security, hardware security, printing restriction and the introduction of Security Incidence Review processes. We will achieve Cyber Essentials in 2019.|
|Information security policies and processes||
We have a robust information security policy and set of defined processes which are externally audited.
All locations protected against cyber attack through physical and internet access controls
Secure by design hardware and infrastructure with up to date patching policies
Defined policies for the storage and retention of sensitive and PII data Incident and breach management process
Training and Awareness for all staff and customers.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Infrastructure and Policy change management is through the exec team. Development change management is covered in our SDLC and enacted through our specification process, tooling and release management process.
Client environment utilises a change management object where changes to the Org are recorded and agreed with the client. We also have tooling that allows us to audit any changes to the environment on request or prior to release.
Client issues and requests, we use Case Management where each request is stored, communicated and documented. In implementation, the Project Manager is responsible for Change Management and will keep a project log.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Salesforce has various vulnerability management processes in place around internal scanning, external scanning & vendor patch release management.
Technical operations and security personnel monitor vulnerability alerts and patch release notifications from vendors and other sources. There are associated evaluation and deployment processes in place. Salesforce also regularly performs self-vulnerability assessments using various tools and techniques, such as Qualys.
In addition, Salesforce uses external service providers to perform an application vulnerability assessment after each major release (three times annually) and network vulnerability assessments quarterly. There is also an on-going external application scanning service used.
Further detail on responsible disclosure here https://trust.salesforce.com/en/security/responsible-disclosure-policy/.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Salesforce's Computer Security Incident Response Team (CSIRT) uses a security event logging and management system to manage the alerts and logs generated by devices on our network and provide protective monitoring.
The system consists of a central database, management server, and distributed agents. The distributed agents receive events from network devices and systems (firewalls, IDS, routers, switches, hosts, file integrity, and database monitoring) on the network, then compress, encrypt, and transmit the data to the management server and database for processing.
Correlated events are configured to generate alerts and logs which are monitored on a 24/7 basis.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Salesforce has a formal Incident Management Process that guides the Salesforce Computer Security Incident Response team in investigation, management, communication, and resolution activities.
Salesforce will promptly notify the customer in the event of any security breach of the Service resulting in an actual or reasonably suspected unauthorised disclosure of Customer Data.
Notification may include phone contact by Salesforce support, email to customer's administrator and Security Contact and public posting on trust.salesforce.com. Salesforce.com is a member of the prestigious Forum of Incident Response and Security Teams (FIRST) and complies with the FIRST framework and best practices for incident response.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£1.85 to £8.35 per person per month|
|Discount for educational organisations||No|
|Free trial available||No|