Software Limited t/a

eProcurement - cloudBuy Purchasing System

Simple way to trade with all your suppliers in a single, secure, eProcurement environment, bringing ‘consumer-style’ shopping to the complex world of B2B procurement with embedded payment options. Your buyers will only see selected products and services at approved prices with over 99.5% of orders auto matched and paid.


  • PCI DSS Level 1 and ISO 27001 certified
  • Integration with existing ERP/finance systems
  • Single sign on
  • Automatic 3-way matching of online order/goods receipt/invoice documents
  • Embedded payment module for pCard purchases producing buyer rebate
  • Supplier-maintained product and pricing information, buyer validation and publishing
  • User dashboard with ‘to do’ actions, administration, reporting options
  • Add favourite products/services by individual for repeat orders
  • Search for products by keyword or code
  • Portal can be branded for the buying organisation


  • Single location for all procurement activities
  • Secure procurement environment
  • Reduced costs and increased control
  • Contract compliance
  • Control what individuals can see and buy
  • Increased accuracy 99.5% auto matching from order to payment
  • Real time line level reporting
  • Eliminates overspend and duplicate payments
  • Gives accurate picture of procurement across whole organisation
  • Available on desktop, mobile and tablet


£2,250 an instance a month

Service documents


G-Cloud 12

Service ID

6 8 7 8 6 3 3 0 9 0 1 6 1 8 5


Software Limited t/a Software Limited
Telephone: 01183381429

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
On occasion completes planned maintenance, this typically takes place out of core business hours or over weekends. Customers are informed of any planned maintenance well in advance through posts to our shared user forum which all customers are invited to free of charge.
System requirements
Internet access

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our Support Team works Monday-Friday from 9am until 5pm UK time. Depending on the severity of the issue, the Support Team aims to respond to all queries within 30 minutes-2 business hours.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
You will be assigned a Solution Delivery Manager (SDM) who will be your port of call for any queries and support. Support via phone and email is included at no extra cost. It is provided during the office hours of Monday-Friday, 9am-5pm UK time. The severity of any issues reported affects the response time. If an issue has immediate priority, we aim to respond to you within 30 minutes and resolve the issue in two business hours. We have user guides to support your use of the system.
Support available to third parties

Onboarding and offboarding

Getting started
We provide a mix of onsite and offsite training along with documentation. The key part is customers providing their data and we provide a data specification, and already have transfers configured for a number of major public sector accounting/finance/ERP systems.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction provides the data associated with the contract as part of its standard service at no additional charge. The customer can get a custom extract or a data conversion by into a different format for a charge that depends on the transformation required.
End-of-contract process provides the data associated with the contract as part of its standard service at no additional charge. The customer can get a custom extract or a data conversion by into a different format for a charge that depends on the transformation required.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Layout is only difference between mobile and desktop. It is optimised for both.
Service interface
What users can and can't do using the API
Send data
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Most areas of the service can be customised. Please let us know what your requirements are.


Independence of resources
Co2Analysis provides an SLA to ensure that all customers can measure that the service performs to the level set out by the SLA irrespective of the demands from other customers.

Customers have their own reporting packs.


Service usage metrics
Metrics types
We provide a set of reports covering usage, transactions, exceptions and required actions.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data is exported as an Excel workbook.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability normally provides a 99.9% SLA and has a 100% track record of meeting this SLA. Customers that require a 100% uptime SLA can pay an additional amount based on the level of business loss as a result of down time.
Approach to resilience has a N+2 redundancy standard covering firewalls, applications and storage systems spread over multiple datacentres.
Outage reporting provides customers with access to the user forum which is used to update and inform customers of incidents, outages, planned maintenance and upgrades. Notifications are sent to customers as part of the user forum workflow.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Private network and 2 factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Nothing, everything related to customer data is covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
No current exclusions (sometimes we need to exclude certain customers systems which do not meet the PCI standard, but we aim to have all systems up to standard, e.g. when we had Government customers that continued to use FTP after its use was prohibited by PCI)
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We use ISO 27001 as our security management system, and this has internal and external auditing to ensure that our policies and procedures are followed.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All changes are created in our version control system, they are then assessed and approved prior to being tested and deployed. There is a separation of duties between change creation, change approval, testing and deployment. The same process is followed for code, infrastructure and database changes. This process is audited internally and externally by both ISO 27001 and PCI teams.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach's infrastructure is tested annually and after any major system alterations. Testing is performed by PCI and CHECK accredited testers, comprising checks of possible holes in our security. They identify high-risk vulnerabilities, including a combinations of low-risk vulnerabilities applied in sequence or those that are not necessarily picked up during our own scans. We also carry out quarterly internal and external network scans by an accredited PCI scanner, as well as our own internal and external daily scans. Any vulnerabilities are immediately patched.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We have a PCI accredited external monitoring company monitoring our logs for any attacks of compromises along with our SIEM and if we have an incident we respond immediately.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident management process covers immediate response to any serious incident along with proactive notification to any affected customers and regular updates to any affected customers. We regularly test incident response and look at how we can continuously improve our processes with pre-defined processes for potential major events. Incidents are not a common event. Users can report incidents through our applications, email or phone. We provide incident reports via our forums, and our ticketing system which we share with customers so that they can see the status of any ticket or incident.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • Joint Academic Network (JANET)
  • Health and Social Care Network (HSCN)


£2,250 an instance a month
Discount for educational organisations
Free trial available

Service documents