Castle Computer Services Ltd

P2P Online Purchasing

DCS Purchase2Pay enables organisations to implement an Intranet based requisitioning, ordering and receiving process. The solution is tailored to an organisation’s acquisition policy and procedures for goods and services. Closely integrated with the leading finance systems, including SunSystems, Microsoft Dynamics GP and Sage. The approval process follows corporate authorisation procedures.


  • Comprehensive P2P workflow configurable to your business processe
  • Seamless interfaces with Finance systems
  • Mobile enabled for maximum business flexibility
  • Multi-browser support including iOS and Android
  • Multiple eInvoice options to enable all suppliers
  • PEPPOL Access Point
  • Option to punch-out to 3rd party catalogues
  • Build in document scanning and management


  • Simple and intuitive interface means minimum end user training
  • Mobile order authorisation speeds up the order process
  • Seamless connection to the finance system provide data accuracy
  • Single source of supplier data
  • Real time view of actual and committed expendiure
  • Documents attached to the order can be viewed by users
  • Reduced process time for invoices
  • Reduced errors, and swifter dispute resolution


£100 to £500 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

5 9 7 7 8 7 1 2 5 0 2 0 1 7 3


Castle Computer Services Ltd

Paul Sutherland

01698 844600

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
The service is an add-on to the users Financial System. The P2P solution reads Supplier and Chart of Accounts information from the finance system and posts Commitments, Accruals and Accruals to the Finance system.
Cloud deployment model
Private cloud
Service constraints
The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 10 years.
From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter an dare implemented outside office hours.
System requirements
  • Device with Internet access
  • Correct Browser verion

User support

Email or online ticketing support
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Castle’s support model is based around ITIL (IT Infrastructure Library) best practice. ITIL is a best practice framework developed by the Office of Government Commerce and is rapidly becoming the worldwide de facto standard for the delivery of IT support to businesses.
Castle’s ITIL based Support methodology will then be used to ensure that the highest quality, proactive and responsive support service is provided to you.
We adhere carefully to IT industry best practice, and follow the ITIL standards (IT Infrastructure Library). Our support function is provided via our dedicated helpdesk in Strathclyde Business Park, Bellshill from where we provide high quality support to over 500 customers
We use a number of leading edge systems and software applications to help maximize our service to customers, such as:
• Cherwell service management call handling software
ITIL accredited software for handling, monitoring and reporting Castle’s service against agreed SLA’s
• Network streaming software
This allows us to take control (remote control) of any PC or server that can connect to our web site .
• And our innovative myCastle self service support portal
Support available to third parties

Onboarding and offboarding

Getting started
DCS and Castle will use a proven project management methodology based on PRINCE2 for the implementation of the P2P solution.

This is tailored to suit the exact requirements of each customer, which is documented and agreed to at the project outset in this Project Initiation Document.
This approach ensures all areas of the implementation process are discussed and addressed and realistic expectations are set.

An implementation framework reflecting respective Castle and the customer roles and responsibilities is then agreed in an informed manner through a clear understanding of the project scope, objectives, activities and resource requirements.

The approach is based on 7 steps and each step has a set of documents associated with it:
Step 1 - Project Initiation
Step 2 - Business Needs Analysis
Step 3 - Requirements Definition
Step 4 - System Configuration
Step 5 - End User Training
Step 6 - Acceptance Testing
Step 7 - Pilot Sites
Step 8 - Rollout
Step 9 - Post Implementation Review
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
All data is owned by the customer and may be extracted in database table or CSV format as required. Standard extracts are available and additional extracts can be developed on a time and materials basis.
End-of-contract process
The notice for termination of the service is sent by the customer to Castle and an agreed date for termination after 30 days is agreed. 2 Options are then offered:-
- read only access to the data for a small cost
- Full export of the data to the customer in CSV or database table format

All support through nominated contacts and upgrades are included in the contract. Additional modules or specific customer developments are charged for as required.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Differences between the mobile and desktop service
The Mobile APP is designed for Approvers to approve Orders and Invoices when they are online and offline. Users sync with the SAAS service and this downloads any documents awaiting the users approval. The sync also update the server with any Approvals that have been completed on the APP.
Service interface
Customisation available
Description of customisation
The P2P system can be customized by Buyers and/or Castle. The solution provides a Workflow Design Tool and a Configuration Admin Tool.
- The workflow Tool enables organisations to configure the business approval rules as required.
- The Administration Tool enables organisations change the files, scripts and operation of the solution. The system automatically manages and versions these changes.


Independence of resources
Dedicated application servers can be issued to minimise other user impact on services


Service usage metrics
Metrics types
Availability - 98%
Response - 95%
Load - 300 Transaction per min
Accuracy - 0 (Errors due to application problems)
Batch Services - 98%

1. Availability based on CICSPROD up and files open
2. Penalties for missed services:
a. 10% reduction in billing for 2% missed unless caused by user
3. Penalties for exceeded loads:
a. 10% increase in billing and no penalty for missed service
4. Reporting: Data Centre provides report 8 am each day.
5. Changes to SLA’s must be negotiated with the contacts from both parties
6. Priorities if full resources are unavailable
7. Batch Services:
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
A data export can be request from the service desk, or if they contract to have the data management tools the customer can perform the exports as required.
Data export formats
  • CSV
  • ODF
  • Other
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
Drag & Drop Images in PDf, Word, Excel formarts

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
DCS uses ServCentric to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, regular snapshots of the database and securely move them to a separate data center so that we can restore needed, even in the event of a ServCentric failure.
We currently host data in secure SSAE 16 audited data centre ServcCentric located in Ireland.
Encrypted Transactions
Web connections to the DCS service are via TLS 1.0 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using SSL 3.0 and below or RC4.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network
The architecture is designed to provide a robust scalable platform to support thousands of users through an extendible and configurable solution.
Robust Authentication, Web Farms, Load Balancers along with a multi-zone network secured by multiple firewalls are used to ensure data security and integrity.

Availability and resilience

Guaranteed availability
The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 9 years. From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter and are implemented outside office hours.
Approach to resilience
The platform has been implemented with a redundant and fault-tolerant High Availability Architecture (HAA) to ensure that no single point of failure can affect the availability of the overall solution (the concept of duality is applied to all aspects components of the architecture).

The Network has been designed to be multi-zone separated by firewalls. Security has been implemented across the applications and uses industry standard authentication.
The system is hosted in Servecentric. Servecentric is one of Ireland’s largest and most advanced data centres. It adheres to the highest international standards, and are certified to the following ISO Standards including ISO27001 (Information Security Management), ISO9001 (Quality Management) and ISO14001 (Environmental Management).
Detailed information is available on Request and under a non-disclosure agreement.
Outage reporting
If outages or part outages occur it is DCS's policy to transparently discuss this with our customers. DCS has also implemented the following ways to communicate outages to our customers:-
1. As soon as an outage occurs DCS will email all relevant customer contacts
2. DCS will post a status update page that will be updated with any developments and this page is accessible by all customers.
3. If the problem is ongoing DCS will email all end users directly and send text messages to affected users
4. When the outage is over DCS will update all users impacted by the outage via email and text message
5. DCS provides each impacted customer with a detailed outage report that includes a detailed description of the problem that occurred and a plan to ensure that the problem does not occur again.

Identity and authentication

User authentication needed
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Management Interfaces are restricted based on Group membership. Company Administrator access is limited to views of a company's data and all access if restricted via 2-factor authentication.
System level access is restricted to the DCS help desk operation leaders.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
ISAE 3402

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Within the company, we have an acceptable usage policy for all IT equipment. This covers, any office technology extensively, in regards to it's security, software on the devices and the usage of the software/hardware. It is designed so that adherence to the DPA is vital and always present.

Technologies such as Active Directory Services, and Group Policy are in place to make sure that company wide administration is present and no preventative measures can be made to disable Anti-Virus, firewalls, HIPS, Anti-Phishing, Email-protection etc.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All system changes have to formally documented, fully regression tested to ensure no application conflicts.

Changes applied to a test environment first

Customer UAT is required before transfer to a live system
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
With both the head office and the private cloud, we deploy a unified threat management system, which helps monitor all information going in and out of each location. The UTMs is equipped with firewall, intrusion prevention, utm management and advanced threat protection technologies.

We run regular patching to our platforms through WSUS, and application specific software releases. We usually deploy these in waves, so that if a patch was to break a service it would break a small amount of our private cloud and not the entire cloud. This is to help prevent any outages.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We regularly carry out tests to ensure that code injections and other similar attacks (OWASP A1,
A2 and A5 classes). In addition we use 3rd parties to test and ensure no access to restricted information using direct object and URL
references (A4 and A8).
All configuration changes to the SAAS service are carried out by ServeCentric and ServeCentric are SSAE-16 compliant
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
All incidents have to be reported via the helpdesk support line.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£100 to £500 per licence per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑