XCD HR Limited

XCD HR and Payroll Solution

XCD is a full suite of cloud solutions, delivered as a single solution from one database to provide full employee lifecycle management. Functionality includes Gross & Net (UK) Payroll, Time Management, Expenses, Learning/Talent, Recruitment, and associated functions (Workflow, Reporting, BI, Automation, Document management, mobile) for HR Professionals, Managers and Employees.


  • Single solution HR and Payroll suite
  • Built on world class Salesforce Lightning platform
  • Full UK net payroll for public sector and mid enterprise
  • Full support for single sign on (SSO)
  • Accessible through desktop browser or mobile
  • ERP integration for Finance, PSA, time clocking, biometrics and more
  • Role based access for all employees
  • Full suite covering full employee lifecycle (recruit to retire)


  • Single solution provides seamless collaboration across all functions
  • Data automation has saved customers 1000’s of hours per year
  • 5.5 days per month can be saved on reporting
  • Global Dashboards allow HR to provide strategic support
  • Manage complex and different contract terms and working hours
  • No re-keying of data required between HR and Payroll
  • Update personal data anywhere, any time using the mobile app


£1.85 to £8.35 per person per month

Service documents


G-Cloud 11

Service ID

5 0 2 8 0 1 0 9 0 5 9 5 7 3 7


XCD HR Limited

Rachel Mudd



Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
XCD HCM Suite is built on the Salesforce platform and is compatible with organisations running Salesforce.com and associated applications, and as a standalone solution leveraging the Salesforce Lightning platform.
Cloud deployment model
Public cloud
Service constraints
Planned maintenance will be in line with the Salesforce maintenance schedule and policy.

Details can be found here: https://help.salesforce.com/articleView?id=000176208&type=1
System requirements
  • Chrome or Edge Browser
  • An Octane score of 20,000 (30,000 recommended)
  • Network latency of 200 ms or lower (150 ms recommended)
  • Download speed of 1 Mbps (3mps recommended)
  • At least 5GB RAM, 2GB available for browser tabs
  • 8GB Ram , 3GB available for browser tabs recommended

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support hours are UK Monday to Friday 09:00 to 17:30
Excludes Public Holidays.

Resolution times as follows:

Emergency: 24 Hours Critical: 48 Hours Normal: 5 Business days - Workaround (if available) or considered for future release.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
XCD provide the following levels of support:

Standard Support - Access to our Support Team for software issues and queries (included in software fee).

Payroll Support - As per Standard but with enhanced access to the Payroll Support team for technical and payroll processing queries (additional cost per annum - dependant on employee numbers and payrolls).

Premium Support - Additional cost which provides Standard Support plus a number of hours of free consultancy for training, report writing or simple system configuration (additional cost per annum - starts at £6,000).
Support available to third parties

Onboarding and offboarding

Getting started
XCD get users familiar on the system by involving them at an early stage in the project through the Solution Design process. This involves workshops with the customers 'Super Users' to walk through requirements using the XCd application. At the end of this process, a Solution Design document(SDD) is created and signed off by both parties. The SDD is used for XCD testing of the delivered solution as well as during the customer User Acceptance Testing phase.

The approach we use is that of Knowledge Transfer and workshops from the XCD Consultants to the customers Project Team. We expect that the customer's Project Team will become "Super Users" of the system.

It will be the responsibility of the customer Project Team to deliver End User Training to the End Users of the system. However, XCD can deliver End User training if requested.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
When a contract comes to an end we will work with customers to assist them in how to extract any or all of their data from the XCD system.

This will take the form of consultancy to advise customers in what tools are available to export data OR to actually extract the data on behalf of the customer.

This is a chargeable consulting activity which would be scoped and estimated on an individual customer basis and this cost is not included in the ongoing cost of the contract with XCD.
End-of-contract process
When a customer issues XCD with notice that they wish to terminate the contract, we arrange for a conference call with the customer and appoint an XCD Project Manager to work with the customers Project Manager to facilitate the smooth offboarding process.

The project managers will discuss timelines for items such as "Last Transaction Date" and "Data Export Options". A Project Plan or set of agreed activities will then be created and resources assigned to carry out the activities from both XCD and the customers perspective.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile experience is tailored specifically to the real-estate of the mobile device.

In addition we have mobile specific tasks and workflows to easily manage tasks including expenses, leave, authorisations and approvals and view payslips.
Service interface
Description of service interface
XCD has multiple methods for integrating to and from the application:

1) CSV/Flat Files - Predominantly used for data import or integrating external systems where real time interfaces are not required.
2) Reporting Outputs - Typically used where users wish to inspect the data prior to import to another system, for example GL reporting to Finance.
3) Pseudo Real Time Rest API - Used for integration where Employee, Work Patterns, Leave and associated holiday data is required.
Accessibility standards
None or don’t know
Description of accessibility
Access through either:

Native files (for example CSV)
As a report output
Rest API with JSON through a third party integration tool such as Mulesoft
Accessibility testing
Accessibility testing
XCD's service interface is data only and used for integration into applications. Therefore we have not tested with assistive technology.
What users can and can't do using the API
The API is delivered as an extension package associated with the XCD core package.

The API is REST utilising JSON to deliver its payload.

The API covers standard functions in the XCD application relating to:
- Leave
- Payroll
- Overtime payments
- Expenses
- Timesheets
- Performance management

Users can call the API to request information from the XCD application, or insert data into the XCD application.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The XCD Suite of solutions is highly customisable as it is built on the Lightning platform.

System Administrators can customise the solution in the following ways:
Objects and Fields
New Screens (modify existing or build new)
Workflows and Processes Reports
Analytics and BI Process Builders Users
Roles and Access.


Independence of resources
The current daily transaction average for Salesforce platform is regularly 6 billion, consistently at sub 250ms response time within the Salesforce environment.

Within each logical system, we use load balancers to distribute load among multiple web and application servers for additional scalability and redundancy. The multi-tenant application design, combined with the fastest servers and high-performance networking infrastructure available, guarantees fast performance.

In addition to scaling for growth, Salesforce continually strives to improve the average response time of our services and, to back up our claims, full details of transaction volumes and response times are publicly reported in real-time at https://status.salesforce.com/.


Service usage metrics
Metrics types
The service includes various metrics to monitor usage and adoption of the service, for example, last login, login duration etc.

For infrastructure detail, metrics are available at https://trust.salesforce.com, which provides performance and availability information for the entire service.

For specific metric monitoring and for more in-depth detail customers can extend capability through the use of Event Monitoring. For example - which applications are being used, by who, how are they being used, when, where from and are there performance issues? This data can be used to improve adoption, security and performance of the application.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Classic Encryption: native Salesforce application feature which can be used to encrypt specific custom fields. There is no additional cost for this, but it does impact some application functionality.

More information here: http://sfdc.co/FieldEncryption

Platform Encryption: Platform Encryption allows customers to encrypt data stored through Salesforce such as: files and attachments, certain standard and custom fields, and use an advanced key management system. It uses native strong, standards-based encryption.

Controls help to protect data, which include the use of derived data encryption keys and customer-controlled key rotation, generation, and destruction process. Available for an additional cost.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
XCD has a set of standard templates that the customer exports their data to. This data is then uploaded into the XCD application by the XCD Technical Consultant and tested by both XCD and the customer.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
By default, customers connect to the service over the public internet with all transmissions between the user and the Salesforce Services secured using TLS 1.1 or higher and encrypted using 256 or 128-bit encryption.

The services use International/Global Step Up SSL certificates with 2048-bit Public Keys. Web Service callouts can be secured using TLS, as well as with two-way TLS.

In addition, customers can partner with a selection of supported ISPs for a more direct connection to the Salesforce service. In the UK, BT are one such ISP. This service is known as Salesforce Express Connect.
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Customer data is protected within the Salesforce service through a mature, standards-based defence in-depth security architecture. Logical and physical access is strictly controlled and monitored. The controls used are in scope for the various security certifications the company has, and audited regularly by third parties.

Controls such as firewalls, intrusion detection, anti-malware, file integrity monitoring are augmented with extensive monitoring to provide robust prevention, detection and response. Internal and external, as well as third-party vulnerability scanning and application penetration testing are also in place.

Availability and resilience

Guaranteed availability
The Salesforce Services are designed with the concept of continuous improvement and Trust (e.g. Availability, Performance and Security) in the infrastructure. Salesforce uses commercially reasonable efforts to make its on-demand services available to its customers 24/7, except for (minimal) planned downtime, for which Salesforce gives customers prior notice, and force majeure events.

Excellent availability statistics (historically 99.9%) are critical to Salesforce's customers’ success and to the success of Salesforce as a company. Salesforce generally does not focus on a specific percentage, as we do not believe our job on availability will ever be “complete”.

Live and historical statistics on Salesforce system performance are publicly published at: https://trust.salesforce.com/en/#systemStatus, and further detail can be shared upon request and NDA.
Approach to resilience
To maximise availability, the service is delivered using a world-class data centre infrastructure consisting of a primary production data centre, a full capacity secondary data centre for hosting the service provided to customers.

The infrastructure utilises carrier-class components designed to support millions of users. Extensive use of high availability servers and network technologies, and a carrier-neutral network strategy, help to minimise the risk of single points of failure, and provide a highly resilient environment with maximum uptime and performance.
Outage reporting
Outage escalation policies are established and maintained as Salesforce's goal is to rapidly restore service. In the event of an extended outage, periodic updates are provided in near real time to customers via the trust.salesforce.com dashboard site and in addition, service notifications are provided to nominated contacts via various channels such as email.

Update frequency for notifications is dependent on the customer support service plan.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Salesforce has a comprehensive set of authentication mechanisms that customers can choose from. These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.
Access restrictions in management interfaces and support channels
Management access for service support and delivery is done through multiple layers of controls including, but not limited to, multiple 2 factor authentication, bastion host and proxy control and segregation of duties. These controls are in scope for SSAE-18 auditing and evidences through the SOC 2/ISAE3402 report.

Access to the management interface for the customer to configure their salesforce environment, is configured by the customer themselves. The options are outlined in the above response. Robust application design and testing ensures that users without administrative access rights cannot access more sensitive areas of the application.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Customers can choose from a comprehensive set of authentication mechanisms.

These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
XCD have a formal approach to Security Governance which has been enhanced under our review of processes following the introduction of GDPR. This includes physical access security, hardware security, printing restriction and the introduction of Security Incidence Review processes. We will achieve Cyber Essentials in 2019.
Information security policies and processes
We have a robust information security policy and set of defined processes which are externally audited.

These include:
All locations protected against cyber attack through physical and internet access controls
Secure by design hardware and infrastructure with up to date patching policies
Defined policies for the storage and retention of sensitive and PII data Incident and breach management process
Training and Awareness for all staff and customers.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Infrastructure and Policy change management is through the exec team. Development change management is covered in our SDLC and enacted through our specification process, tooling and release management process.

Client environment utilises a change management object where changes to the Org are recorded and agreed with the client. We also have tooling that allows us to audit any changes to the environment on request or prior to release.

Client issues and requests, we use Case Management where each request is stored, communicated and documented. In implementation, the Project Manager is responsible for Change Management and will keep a project log.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Salesforce has various vulnerability management processes in place around internal scanning, external scanning & vendor patch release management.

Technical operations and security personnel monitor vulnerability alerts and patch release notifications from vendors and other sources. There are associated evaluation and deployment processes in place. Salesforce also regularly performs self-vulnerability assessments using various tools and techniques, such as Qualys.

In addition, Salesforce uses external service providers to perform an application vulnerability assessment after each major release (three times annually) and network vulnerability assessments quarterly. There is also an on-going external application scanning service used.

Further detail on responsible disclosure here https://trust.salesforce.com/en/security/responsible-disclosure-policy/.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Salesforce's Computer Security Incident Response Team (CSIRT) uses a security event logging and management system to manage the alerts and logs generated by devices on our network and provide protective monitoring.

The system consists of a central database, management server, and distributed agents. The distributed agents receive events from network devices and systems (firewalls, IDS, routers, switches, hosts, file integrity, and database monitoring) on the network, then compress, encrypt, and transmit the data to the management server and database for processing.

Correlated events are configured to generate alerts and logs which are monitored on a 24/7 basis.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Salesforce has a formal Incident Management Process that guides the Salesforce Computer Security Incident Response team in investigation, management, communication, and resolution activities.

Salesforce will promptly notify the customer in the event of any security breach of the Service resulting in an actual or reasonably suspected unauthorised disclosure of Customer Data.

Notification may include phone contact by Salesforce support, email to customer's administrator and Security Contact and public posting on trust.salesforce.com. Salesforce.com is a member of the prestigious Forum of Incident Response and Security Teams (FIRST) and complies with the FIRST framework and best practices for incident response.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£1.85 to £8.35 per person per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑