Castle Computer Services Ltd

P2P Online Purchasing

DCS Purchase2Pay enables organisations to implement an Intranet based requisitioning, ordering and receiving process. The solution is tailored to an organisation’s acquisition policy and procedures for goods and services. Closely integrated with the leading finance systems, including SunSystems, Microsoft Dynamics GP and Sage. The approval process follows corporate authorisation procedures.

Features

  • Comprehensive P2P workflow configurable to your business processe
  • Seamless interfaces with Finance systems
  • Mobile enabled for maximum business flexibility
  • Multi-browser support including iOS and Android
  • Multiple eInvoice options to enable all suppliers
  • PEPPOL Access Point
  • Option to punch-out to 3rd party catalogues
  • Build in document scanning and management

Benefits

  • Simple and intuitive interface means minimum end user training
  • Mobile order authorisation speeds up the order process
  • Seamless connection to the finance system provide data accuracy
  • Single source of supplier data
  • Real time view of actual and committed expendiure
  • Documents attached to the order can be viewed by users
  • Reduced process time for invoices
  • Reduced errors, and swifter dispute resolution

Pricing

£100 to £500 per licence per year

  • Education pricing available

Service documents

G-Cloud 9

602835059982620

Castle Computer Services Ltd

Paul Sutherland

08452301314

paul.sutherland@castle-cs.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to The service is an add-on to the users Financial System. The P2P solution reads Supplier and Chart of Accounts information from the finance system and posts Commitments, Accruals and Accruals to the Finance system.
Cloud deployment model Private cloud
Service constraints The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 10 years.
From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter an dare implemented outside office hours.
System requirements
  • Device with Internet access
  • Correct Browser verion

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email response within 24 hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels Castle’s support model is based around ITIL (IT Infrastructure Library) best practice. ITIL is a best practice framework developed by the Office of Government Commerce and is rapidly becoming the worldwide de facto standard for the delivery of IT support to businesses.
Castle’s ITIL based Support methodology will then be used to ensure that the highest quality, proactive and responsive support service is provided to you.
We adhere carefully to IT industry best practice, and follow the ITIL standards (IT Infrastructure Library). Our support function is provided via our dedicated helpdesk in Strathclyde Business Park, Bellshill from where we provide high quality support to over 500 customers
We use a number of leading edge systems and software applications to help maximize our service to customers, such as:
• Cherwell service management call handling software
ITIL accredited software for handling, monitoring and reporting Castle’s service against agreed SLA’s
• Network streaming software
This allows us to take control (remote control) of any PC or server that can connect to our web site .
• And our innovative myCastle self service support portal
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started DCS and Castle will use a proven project management methodology based on PRINCE2 for the implementation of the P2P solution.

This is tailored to suit the exact requirements of each customer, which is documented and agreed to at the project outset in this Project Initiation Document.
This approach ensures all areas of the implementation process are discussed and addressed and realistic expectations are set.

An implementation framework reflecting respective Castle and the customer roles and responsibilities is then agreed in an informed manner through a clear understanding of the project scope, objectives, activities and resource requirements.

The approach is based on 7 steps and each step has a set of documents associated with it:
Step 1 - Project Initiation
Step 2 - Business Needs Analysis
Step 3 - Requirements Definition
Step 4 - System Configuration
Step 5 - End User Training
Step 6 - Acceptance Testing
Step 7 - Pilot Sites
Step 8 - Rollout
Step 9 - Post Implementation Review
Service documentation Yes
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats Multi-media Online Help
End-of-contract data extraction All data is owned by the customer and may be extracted in database table or CSV format as required. Standard extracts are available and additional extracts can be developed on a time and materials basis.
End-of-contract process The notice for termination of the service is sent by the customer to Castle and an agreed date for termination after 30 days is agreed. 2 Options are then offered:-
- read only access to the data for a small cost
- Full export of the data to the customer in CSV or database table format

All support through nominated contacts and upgrades are included in the contract. Additional modules or specific customer developments are charged for as required.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The Mobile APP is designed for Approvers to approve Orders and Invoices when they are online and offline. Users sync with the SAAS service and this downloads any documents awaiting the users approval. The sync also update the server with any Approvals that have been completed on the APP.
Accessibility standards WCAG 2.0 AAA
Accessibility testing DCS tests its interfaces so that they meet the 4 principals for good accessibility. i.e the software user interface components are checked so that they are presentable to users in ways they can perceive. User interface components and navigation must be operable. Information and the operation of user interface and content must be understandable. Whilst the content is mainly financial information DCS endeavours to make content clear so that it can be interpreted by a wide variety of user agents e.g. JAWS
DCS also employees consultants to assist with this process as part of its testing.
API No
Customisation available Yes
Description of customisation The P2P system can be customized by Buyers and/or Castle. The solution provides a Workflow Design Tool and a Configuration Admin Tool.
- The workflow Tool enables organisations to configure the business approval rules as required.
- The Administration Tool enables organisations change the files, scripts and operation of the solution. The system automatically manages and versions these changes.

Scaling

Scaling
Independence of resources Dedicated application servers can be issued to minimise other user impact on services

Analytics

Analytics
Service usage metrics Yes
Metrics types Availability - 98%
Response - 95%
Load - 300 Transaction per min
Accuracy - 0 (Errors due to application problems)
Batch Services - 98%

1. Availability based on CICSPROD up and files open
2. Penalties for missed services:
a. 10% reduction in billing for 2% missed unless caused by user
3. Penalties for exceeded loads:
a. 10% increase in billing and no penalty for missed service
4. Reporting: Data Centre provides report 8 am each day.
5. Changes to SLA’s must be negotiated with the contacts from both parties
6. Priorities if full resources are unavailable
7. Batch Services:
Reporting types
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold DCS Ltd

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach A data export can be request from the service desk, or if they contract to have the data management tools the customer can perform the exports as required.
Data export formats
  • CSV
  • ODF
  • Other
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats Drag & Drop Images in PDf, Word, Excel formarts

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks DCS uses ServCentric to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, regular snapshots of the database and securely move them to a separate data center so that we can restore needed, even in the event of a ServCentric failure.
We currently host data in secure SSAE 16 audited data centre ServcCentric located in Ireland.
Encrypted Transactions
Web connections to the DCS service are via TLS 1.0 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using SSL 3.0 and below or RC4.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network The architecture is designed to provide a robust scalable platform to support thousands of users through an extendible and configurable solution.
Robust Authentication, Web Farms, Load Balancers along with a multi-zone network secured by multiple firewalls are used to ensure data security and integrity.

Availability and resilience

Availability and resilience
Guaranteed availability The Service is available 24/7 365 days per year and has an uptime average of 99% over the past 9 years. From time to time planned outages are agreed with customers for the implementation if upgrades etc.. Typically these are once a quarter and are implemented outside office hours.
Approach to resilience The platform has been implemented with a redundant and fault-tolerant High Availability Architecture (HAA) to ensure that no single point of failure can affect the availability of the overall solution (the concept of duality is applied to all aspects components of the architecture).

The Network has been designed to be multi-zone separated by firewalls. Security has been implemented across the applications and uses industry standard authentication.
The system is hosted in Servecentric. Servecentric is one of Ireland’s largest and most advanced data centres. It adheres to the highest international standards, and are certified to the following ISO Standards including ISO27001 (Information Security Management), ISO9001 (Quality Management) and ISO14001 (Environmental Management).
Detailed information is available on Request and under a non-disclosure agreement.
Outage reporting If outages or part outages occur it is DCS's policy to transparently discuss this with our customers. DCS has also implemented the following ways to communicate outages to our customers:-
1. As soon as an outage occurs DCS will email all relevant customer contacts
2. DCS will post a status update page that will be updated with any developments and this page is accessible by all customers.
3. If the problem is ongoing DCS will email all end users directly and send text messages to affected users
4. When the outage is over DCS will update all users impacted by the outage via email and text message
5. DCS provides each impacted customer with a detailed outage report that includes a detailed description of the problem that occurred and a plan to ensure that the problem does not occur again.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Management Interfaces are restricted based on Group membership. Company Administrator access is limited to views of a company's data and all access if restricted via 2-factor authentication.
System level access is restricted to the DCS help desk operation leaders.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations ISAE 3402

Security governance

Security governance
Named board-level person responsible for service security No
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Within the company, we have an acceptable usage policy for all IT equipment. This covers, any office technology extensively, in regards to it's security, software on the devices and the usage of the software/hardware. It is designed so that adherence to the DPA is vital and always present.

Technologies such as Active Directory Services, and Group Policy are in place to make sure that company wide administration is present and no preventative measures can be made to disable Anti-Virus, firewalls, HIPS, Anti-Phishing, Email-protection etc.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All system changes have to formally documented, fully regression tested to ensure no application conflicts.

Changes applied to a test environment first

Customer UAT is required before transfer to a live system
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach With both the head office and the private cloud, we deploy a unified threat management system, which helps monitor all information going in and out of each location. The UTMs is equipped with firewall, intrusion prevention, utm management and advanced threat protection technologies.

We run regular patching to our platforms through WSUS, and application specific software releases. We usually deploy these in waves, so that if a patch was to break a service it would break a small amount of our private cloud and not the entire cloud. This is to help prevent any outages.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We regularly carry out tests to ensure that code injections and other similar attacks (OWASP A1,
A2 and A5 classes). In addition we use 3rd parties to test and ensure no access to restricted information using direct object and URL
references (A4 and A8).
All configuration changes to the SAAS service are carried out by ServeCentric and ServeCentric are SSAE-16 compliant
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach All incidents have to be reported via the helpdesk support line.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £100 to £500 per licence per year
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑