P2P Online Purchasing
DCS Purchase2Pay enables organisations to implement an Intranet based requisitioning, ordering and receiving process. The solution is tailored to an organisation’s acquisition policy and procedures for goods and services. Closely integrated with the leading finance systems, including SunSystems, Microsoft Dynamics GP and Sage. The approval process follows corporate authorisation procedures.
- Comprehensive P2P workflow configurable to your business processe
- Seamless interfaces with Finance systems
- Mobile enabled for maximum business flexibility
- Multi-browser support including iOS and Android
- Multiple eInvoice options to enable all suppliers
- PEPPOL Access Point
- Option to punch-out to 3rd party catalogues
- Build in document scanning and management
- Simple and intuitive interface means minimum end user training
- Mobile order authorisation speeds up the order process
- Seamless connection to the finance system provide data accuracy
- Single source of supplier data
- Real time view of actual and committed expendiure
- Documents attached to the order can be viewed by users
- Reduced process time for invoices
- Reduced errors, and swifter dispute resolution
£100 to £500 per licence per year
- Education pricing available
5 9 7 7 8 7 1 2 5 0 2 0 1 7 3
Castle Computer Services Ltd
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||The service is an add-on to the users Financial System. The P2P solution reads Supplier and Chart of Accounts information from the finance system and posts Commitments, Accruals and Accruals to the Finance system.|
|Cloud deployment model||Private cloud|
The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 10 years.
From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter an dare implemented outside office hours.
|Email or online ticketing support||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Castle’s support model is based around ITIL (IT Infrastructure Library) best practice. ITIL is a best practice framework developed by the Office of Government Commerce and is rapidly becoming the worldwide de facto standard for the delivery of IT support to businesses.
Castle’s ITIL based Support methodology will then be used to ensure that the highest quality, proactive and responsive support service is provided to you.
We adhere carefully to IT industry best practice, and follow the ITIL standards (IT Infrastructure Library). Our support function is provided via our dedicated helpdesk in Strathclyde Business Park, Bellshill from where we provide high quality support to over 500 customers
We use a number of leading edge systems and software applications to help maximize our service to customers, such as:
• Cherwell service management call handling software
ITIL accredited software for handling, monitoring and reporting Castle’s service against agreed SLA’s
• Network streaming software
This allows us to take control (remote control) of any PC or server that can connect to our web site .
• And our innovative myCastle self service support portal
|Support available to third parties||Yes|
Onboarding and offboarding
DCS and Castle will use a proven project management methodology based on PRINCE2 for the implementation of the P2P solution.
This is tailored to suit the exact requirements of each customer, which is documented and agreed to at the project outset in this Project Initiation Document.
This approach ensures all areas of the implementation process are discussed and addressed and realistic expectations are set.
An implementation framework reflecting respective Castle and the customer roles and responsibilities is then agreed in an informed manner through a clear understanding of the project scope, objectives, activities and resource requirements.
The approach is based on 7 steps and each step has a set of documents associated with it:
Step 1 - Project Initiation
Step 2 - Business Needs Analysis
Step 3 - Requirements Definition
Step 4 - System Configuration
Step 5 - End User Training
Step 6 - Acceptance Testing
Step 7 - Pilot Sites
Step 8 - Rollout
Step 9 - Post Implementation Review
|End-of-contract data extraction||All data is owned by the customer and may be extracted in database table or CSV format as required. Standard extracts are available and additional extracts can be developed on a time and materials basis.|
The notice for termination of the service is sent by the customer to Castle and an agreed date for termination after 30 days is agreed. 2 Options are then offered:-
- read only access to the data for a small cost
- Full export of the data to the customer in CSV or database table format
All support through nominated contacts and upgrades are included in the contract. Additional modules or specific customer developments are charged for as required.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The Mobile APP is designed for Approvers to approve Orders and Invoices when they are online and offline. Users sync with the SAAS service and this downloads any documents awaiting the users approval. The sync also update the server with any Approvals that have been completed on the APP.|
|Description of customisation||
The P2P system can be customized by Buyers and/or Castle. The solution provides a Workflow Design Tool and a Configuration Admin Tool.
- The workflow Tool enables organisations to configure the business approval rules as required.
- The Administration Tool enables organisations change the files, scripts and operation of the solution. The system automatically manages and versions these changes.
|Independence of resources||Dedicated application servers can be issued to minimise other user impact on services|
|Service usage metrics||Yes|
Availability - 98%
Response - 95%
Load - 300 Transaction per min
Accuracy - 0 (Errors due to application problems)
Batch Services - 98%
1. Availability based on CICSPROD up and files open
2. Penalties for missed services:
a. 10% reduction in billing for 2% missed unless caused by user
3. Penalties for exceeded loads:
a. 10% increase in billing and no penalty for missed service
4. Reporting: Data Centre provides report 8 am each day.
5. Changes to SLA’s must be negotiated with the contacts from both parties
6. Priorities if full resources are unavailable
7. Batch Services:
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||DCS Ltd|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||A data export can be request from the service desk, or if they contract to have the data management tools the customer can perform the exports as required.|
|Data export formats||
|Data import formats||
|Other data import formats||Drag & Drop Images in PDf, Word, Excel formarts|
|Data protection between buyer and supplier networks||
|Other protection between networks||
DCS uses ServCentric to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, regular snapshots of the database and securely move them to a separate data center so that we can restore needed, even in the event of a ServCentric failure.
We currently host data in secure SSAE 16 audited data centre ServcCentric located in Ireland.
Web connections to the DCS service are via TLS 1.0 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using SSL 3.0 and below or RC4.
|Data protection within supplier network||
|Other protection within supplier network||
The architecture is designed to provide a robust scalable platform to support thousands of users through an extendible and configurable solution.
Robust Authentication, Web Farms, Load Balancers along with a multi-zone network secured by multiple firewalls are used to ensure data security and integrity.
Availability and resilience
|Guaranteed availability||The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 9 years. From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter and are implemented outside office hours.|
|Approach to resilience||
The platform has been implemented with a redundant and fault-tolerant High Availability Architecture (HAA) to ensure that no single point of failure can affect the availability of the overall solution (the concept of duality is applied to all aspects components of the architecture).
The Network has been designed to be multi-zone separated by firewalls. Security has been implemented across the applications and uses industry standard authentication.
The system is hosted in Servecentric. Servecentric is one of Ireland’s largest and most advanced data centres. It adheres to the highest international standards, and are certified to the following ISO Standards including ISO27001 (Information Security Management), ISO9001 (Quality Management) and ISO14001 (Environmental Management).
Detailed information is available on Request and under a non-disclosure agreement.
If outages or part outages occur it is DCS's policy to transparently discuss this with our customers. DCS has also implemented the following ways to communicate outages to our customers:-
1. As soon as an outage occurs DCS will email all relevant customer contacts
2. DCS will post a status update page that will be updated with any developments and this page is accessible by all customers.
3. If the problem is ongoing DCS will email all end users directly and send text messages to affected users
4. When the outage is over DCS will update all users impacted by the outage via email and text message
5. DCS provides each impacted customer with a detailed outage report that includes a detailed description of the problem that occurred and a plan to ensure that the problem does not occur again.
Identity and authentication
|User authentication needed||Yes|
|User authentication||2-factor authentication|
|Access restrictions in management interfaces and support channels||
Management Interfaces are restricted based on Group membership. Company Administrator access is limited to views of a company's data and all access if restricted via 2-factor authentication.
System level access is restricted to the DCS help desk operation leaders.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||ISAE 3402|
|Named board-level person responsible for service security||No|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Within the company, we have an acceptable usage policy for all IT equipment. This covers, any office technology extensively, in regards to it's security, software on the devices and the usage of the software/hardware. It is designed so that adherence to the DPA is vital and always present.
Technologies such as Active Directory Services, and Group Policy are in place to make sure that company wide administration is present and no preventative measures can be made to disable Anti-Virus, firewalls, HIPS, Anti-Phishing, Email-protection etc.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
All system changes have to formally documented, fully regression tested to ensure no application conflicts.
Changes applied to a test environment first
Customer UAT is required before transfer to a live system
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
With both the head office and the private cloud, we deploy a unified threat management system, which helps monitor all information going in and out of each location. The UTMs is equipped with firewall, intrusion prevention, utm management and advanced threat protection technologies.
We run regular patching to our platforms through WSUS, and application specific software releases. We usually deploy these in waves, so that if a patch was to break a service it would break a small amount of our private cloud and not the entire cloud. This is to help prevent any outages.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
We regularly carry out tests to ensure that code injections and other similar attacks (OWASP A1,
A2 and A5 classes). In addition we use 3rd parties to test and ensure no access to restricted information using direct object and URL
references (A4 and A8).
All configuration changes to the SAAS service are carried out by ServeCentric and ServeCentric are SSAE-16 compliant
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||All incidents have to be reported via the helpdesk support line.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£100 to £500 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||No|