Procurement Analytics

Procurement Activity Manager (PAM)

PAM is a Cross Functional Project Management System for developing, managing and reporting on Cost Improvement Programmes. PAM supports project management against defined milestones with planned, forecast and actual savings based on real-time spend. Workflow seamlessly connects multiple teams to generate project pipelines and provide teams with visibility and accountability.


  • CIP Tracker
  • Project Management
  • Real time Reporting
  • Management Reports
  • Data Analysis
  • Real-time data collection
  • Workflow
  • Document Storage
  • Governance
  • Multi user access


  • Increase Savings
  • Generate pipeline of procurement initiatives
  • Communication channel between Procurement, Systems and Materials Management
  • Automatically track actual savings in real time
  • Store all data and documentation in a central data repository
  • Reduce time/cost of collating, validating and reporting dat
  • Provide governance and assurance
  • Report to Finance and PMO at CCC Level
  • Identify slippage or areas of risk in order to mitigate
  • Increase CIP Delivery


£4000 per licence per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Procurement Analytics

Ashley Waterman


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Real-time Actual Savings Tracking requires an interface with Purchasing (PO) or Finance (AP) data.
System requirements
  • Microsoft Windows environment
  • Network to allow access to Microsoft Azure (Cloud Service)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support dependent on Severity Level as set out in SLA. Urgent queries responded to within 24 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Level 1: 8 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades. Level 2: 16 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades. Level 3: 24 hours of developer time for Development, Configuration and Application Support; Includes Hot Fixes and access to all Version Upgrades.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial system training is provided onsite as part of the system implementation process. Additional training is available either remotely or onsite as required. The system also includes detailed user documentation which describes the steps required for setting up and managing projects.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction All customer data can be exported from the system and provided in a CSV file format. This is provided as per the normalised table structure.
End-of-contract process The customer has the option to continue with the contracted service or to terminate the contract. If the contract is terminated, the customers data will be made available in the agreed format. The customer will no longer have access to the Cloud service via the application.

Using the service

Using the service
Web browser interface No
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility The service is accessed via a software application which is installed on the users computer or laptop device. The software has a very intuitive user interface which ensures ease of access and use. The data is securely stored on an SQL Database on the Microsoft Azure Cloud Platform.
Accessibility testing We have not as yet completed any assistive technology testing
Customisation available Yes
Description of customisation The service can be customised to include bespoke data items in order to meet specific customer requirements. This can be completed with support from the providers development team as part of the SaaS agreement.


Independence of resources Each organisation license includes a dedicated service which is isolated from other customers. Therefore increased demand from other organisations has no impact on service level. Database services are dynamically scalable to handle an increase in data or system usage.


Service usage metrics Yes
Metrics types User login statistics
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Rembrace Ltd

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data reports can be run in the application and exported to Excel or self service access through Microsoft Power BI and exported in the preferred format.
Data export formats CSV
Data import formats
  • CSV
  • Other
Other data import formats Xlsx

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability In order to enable the client to do business effectively, the supplier guarantees that the service will be available for a certain percentage of time: Guaranteed Uptime 98% Uptime is measured using automated systems, over each calendar month. It is calculated to the nearest minute, based on the number of minutes in the given month (for instance, a 31-day month contains 44,640 minutes). If uptime for any item drops below the relevant threshold, a penalty will be applied in the form of a credit for the client. This means the following month’s fee payable by the client will be reduced on a sliding scale. The level of penalty will be calculated depending on the number of hours for which the service was unavailable, minus the downtime permitted by the SLA: Penalty per hour is 3% of total monthly fee
Approach to resilience All data is replicated a minimum of three times across multiple hardware racks to ensure durability and high availability. Data can also be backed up to a second geographic location. So even in the case of a complete regional outage or a regional disaster in which the primary location is not recoverable, the data is still durable.
Outage reporting Outages are reported via email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Customer can apply administrative rights to certain user accounts. Only these power users will have access to management interfaces and in turn can apply rights to other selected users. Standard users do not have any access to these higher management functions. System login is based on windows authentication which prevents standard users logging in with administrative users credentials.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards CSA CCM version 3.0
Information security policies and processes Security policies and processes are documented with a named security officer. We follow a clean desk policy with all documentation stored in locked units. Information is classified according to an appropriate level of confidentiality, integrity and availability. Staff are trained to handle documentation according to the information classification. Policy breaches are to be reported and dealt with accordingly. Information policies are reviewed and updated on a regular basis.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All change requests are managed through a single system with a standardised change control form. All changes are assessed on their merit and whether they introduce any risk to the integrity or security of the system. Any changes must be approved by a Change Control Board. Changes are then managed through a process tracking log with a named accountable person.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We use Microsoft Azure's integrated vulnerability assessment. Each of our virtual machines on Azure, have this assessment solution installed. Once deployed, the Qualys agent will start reporting vulnerability data to the Qualys management platform, which in turn provides vulnerability and health monitoring data back to Security Center. Users can quickly identify vulnerable VMs from the Security Center dashboard. We use MS Azure Update Management for patch alerts to ensure patches are deployed immediately.
Protective monitoring type Supplier-defined controls
Protective monitoring approach From Azure Monitor we can now get at-a-glance reporting on the health and performance of all our cloud resources, from virtual machines to applications to individual lines of codes in the applications. Policies and processes are in place to appropriately manage and respond to incidents detected by Azure Monitor.
Incident management type Supplier-defined controls
Incident management approach All incidents are logged on a central database and all actions and findings are stored against the incident number. These are then emailed to the person/persons responsible for managing the incident. We follow the Incident Model: This includes a sequence of steps and responsibilities; Timescales for resolution; Escalation procedures; Evidence preservation; Reporting is done on a regular basis from the central database and provided at Management Meetings for review/learning.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £4000 per licence per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Service can be accessed and used with standard functionality for a period of 1 month. This does not include any bespoke configuration or interfaces which are required for tracking actual savings in real time.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑