Emx Solutions

Our service is a consultancy and technology based offering for the provision of Employee Benefits and Total Reward Statements to aid with employee engagement and communications.


  • Employee benefit provision
  • Employee Communications
  • Voluntary benefit access
  • Easier administration of employee benefits
  • Payroll reporting for benefits
  • Provider reporting for benefits
  • National Minimum Wage compliance checks
  • User administrator self service surveys
  • Access to online payslips
  • Central hub with access to third parties


  • Administrate all benefits in one central location
  • Employees can easily make selections of benefits
  • Employees can see the impact on their pay
  • Engage employees through regular communications
  • Enagage employees through the use of Total Reward Statements
  • Reduce the admin payroll burden of manually making changes
  • Bring online access to one central location for other services
  • Ability to offer flex funding or flex funds
  • Accessable through any mobile device
  • Secure and scalable hosted solution


£36500 to £64500 per unit per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 5 0 4 6 4 3 6 8 0 6 5 3 5 9



KPMG G-Cloud Team


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • Requires lastest versions of internet browsers.
  • Minimum version of Internet Explorer is IE9

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 24 hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels We are able to provide Helpdesk support to end users, generally between the hours of 09:30 and 17:30. This is provided through the provision of a dedicated phoneline and email address.
Web chat support is currently in development.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Full training can be provided to users along with relevant user guides and manuals.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Extract of data directly from the platform in the form of reports in csv format.
End-of-contract process We will assist you in any transition to a new provider. Once the migration has been completed and signed off all data will be removed from out platform.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Full functionality is available on the mobile service
Service interface Yes
Description of service interface N/A
Accessibility standards None or don’t know
Description of accessibility Our browser based solution will resize itself based on the device the user is accessing it with.
Accessibility testing None
Customisation available Yes
Description of customisation The look and feel of our platform can be tailored to the users requirements. Similarly the layout and rules behind the system can be tailored to the users requirements.


Independence of resources Hosting services are load balanced and can automatically scale depending on demand.


Service usage metrics Yes
Metrics types We will provide metrics on call volumes, response times and types of queries.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Through reports built in to the platform. These can be built to the users specification.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Due to our AWS hosting environment we can provide 99.99% availability.
Approach to resilience The solution is hosted on the KPMG-managed Virtual Private Cloud on the AWS cloud platform. The application runs on AWS EC2 compute nodes. The application is in an auto-scaling group, so the number of compute nodes will automatically increase to cater to demand.
Outage reporting We utilise other AWS features such as CloudWatch for log monitoring, SES for sending emails, and S3 for storage.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Authentication can be carried out either through a single sign on link from the users systems or through the use of username and passwords. Accounts must already be registered on the platform.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certifications / ISO
ISO/IEC 27001 accreditation date 12/04/2016
What the ISO/IEC 27001 doesn’t cover "ISO 27001 is an information security standard that helps firms to identify risks to its data, and put in place the controls to help mitigate those risks. KPMG is certified to ISO 27001:2013 for core systems, people, IT assets and physical security.

Obtaining and maintaining ISO 27001 demonstrates KPMG's commitment to information security, and should provide its clients with assurance that our information security policy and processes are robust, and that a strong control environment exists. We are independently audited against the standard by an external third party.

The scope statement for our ISO certificate reads: ‘The protection of information in relation to the provision of professional services to KPMG clients. This includes all client-facing business units that use KPMG’s centrally managed information systems and processes.’ "
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 Standards and certifications / ISO 28 - N/A
ISO 28000:2007 accreditation date 12/04/2016
What the ISO 28000:2007 doesn’t cover -
CSA STAR certification Yes
CSA STAR accreditation date 31/12/2018
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover N/A
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Certification

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Multiple policies and standards exist from User security awareness and integrity training for all staff to the more specific standards and policies - IT Security Policy, Privileged User, Vulnerability management, Log Management, System access management, Information classification requirements to name a few

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We manage all configuration and change requests through a formal change management process. Processes are ITIL based, but with adaptations made to suit KPMG’s internal and supplier requirements for controls, governance and reporting.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability scans are carried out monthly on external devices and monthly on internal devices. All systems exposed to untrusted networks (and, in particular, all Internet-facing systems) are pen-tested prior to release and whenever a sufficiently significant change takes place that forces a change in the risk assessment for the system
Protective monitoring type Supplier-defined controls
Protective monitoring approach N/A
Incident management type Supplier-defined controls
Incident management approach Security Incidents are handled in line with the KPMG UK Incident Management process, aligning to elements of KPMG UK’s ISO270001. Incidents are raised through a dedicated channel and an incident manager assigned. The handler will then be triage accordingly, seek to contain the incident and coordinate recovery efforts with stakeholders

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £36500 to £64500 per unit per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑