Basware Holdings Limited

Basware eInvoice

This Cloud service automates the receipt, transmission, validation and enrichment of orders and invoices in any electronic or paper ormat (PDFs, PEPPOL, XML and most other electronic formats). This service includes a self-service portal and creates an eInvoice for your own or your clients’ Accounts Payables system.


  • Transforms paper, PDF, PEPPOL, XML and EDI into electronic format
  • Includes a supplier self-service portal with order flip
  • Automatic processing of PDF invoices within emails
  • Full validation and enrichment of invoice content
  • Header and line level data capture options
  • CCS certified PEPPOL Access Point
  • Sends eInvoices to PEPPOL, PDF email or XML
  • Online Archive for Invoice storage


  • Delivers 100% eInvoicing from Day 1
  • Reduces Accounts Payable effort by removing manual keying of invoices
  • Improves content quality by removing duplications and errors
  • Cuts down fraud by supplier authentication
  • Supports HMRC VAT eInvoice compliance
  • Future-proofed with PEPPOL Access Point included
  • Improves savings by Including ability to send invoices or orders


£0.05 to £0.38 per transaction

Service documents

G-Cloud 9


Basware Holdings Limited

Paul Clayton

0845 603 2885

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Can be used as a standalone service or extension to a new or existing Basware Invoice Processing, Basware Purchase to Pay or any other 3rd Party Accounts Payable or Finance Systems. Can be extended with Basware Pay or Discount.
Cloud deployment model Private cloud
Service constraints There are no obvious constraints.
System requirements Needs connection to e.g. sFTP, AS2 or REST API

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response within 1 working hour, depending upon the criticality.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 A
Web chat accessibility testing Basware has conducted testing with external users of assistive technology.
Onsite support No
Support levels Basware Global Support model is aligned with ITIL (IT Infrastructure Library). Support is available during local business hours.24/7 support can be provided as an option. The Service Desk provides advice and assistance about: • Operational use and service requests related to the software or service • Suspected incidents and problems This is underpinned by Service Level agreements.There are 3 levels of support designed for different types of organisation. Key elements of the service such as service updates, data security, Single Sign On, Maintenance, Business Continuity and Disater Recovery are commonly covered.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Basware provides its services in an entirely packaged form that lends itself to easy call off from a framework. This is our normal modus operandi as all of our current client base call of our services from a Government framework agreement and clients can be fully appraised of the services they will receive and at what cost. This includes service levels and all other attendant matters including service levels, term of the arrangement and governing terms and conditions. Training is provided prior to service Go-live along with user documentation.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. This is part of the service provided. If the service is terminated then all business documents and associated metadata held within the Customer's systems can be exported using the application's export functionality by the Customer. Metadata will be in human readable format.
End-of-contract process On completion of the call off, we can simply cease the services and the processes for doing so are clearly articulated within the arrangement. As it is an entirely managed service it is simply a matter of ceasing access to the service and ensuring that all client owned information is returned to them. All confidentialities relating to the services are maintained indefinitely as part of the arrangement.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile users need to log on sperately.
Accessibility standards WCAG 2.0 A
Accessibility testing Basware has conducted testing with external users of assistive technology.
What users can and can't do using the API Users can submit and receive transactions through the API. Users can see Invoice status through the API (
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources Basware uses databases with sharding to separate customers over multiple database instances. Our platform is bases on parrallel Micro services running over multiple vertual servers in the cloud. We also use queuing and batching for large tasks to reduce load issues. CPUs, memory and instances are all flexible in the Cloud


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The service can be scheduled to export data and image files on a regular basis. Documents can be bulk uploaded in XLS, XML and CSV formats. Basware can support virtually any structured data format. The service will export individual transactions either grouped into a batch or as separate invoice sets (content, image & attachments). The latter is the more common method of transfer. These can be Zipped and signed as required.
Data export formats
  • CSV
  • Other
Other data export formats XML
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks System is subject to independent CHECK compliant testing annually.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network System is subject to independent CHECK compliant testing annually.

Availability and resilience

Availability and resilience
Guaranteed availability Basware consistently operates the Basware service to meet a target level of 99.9% of time during a combination of core and non-core hours (97.5% during the first month of service or following a major release). Further information included in Service Definition document. This is underpinned by our Service Level Agreements which provide for Uptime performance of 99%/99.5%.
Approach to resilience Information available on request
Outage reporting Notification via eMail alert

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Basware has documented logical access controls, for requesting and granting access rights to production systems and applications. Access is on a role-based model, approved by management. Access rights are removed from operating systems and applications immediately after termination/transfer of employment and specific notification from HR or supervisors. Access profiles defining roles based on user job functions are documented and used to restrict access. These follow the principle of least privilege. Root, Administrator and other privileged operating system level access to production system is restricted to authorised individuals. Operating system and applications are configured to enforce minimum requirements for password quality/expiration.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL Business Assurance Ltd
ISO/IEC 27001 accreditation date 16/06/2015
What the ISO/IEC 27001 doesn’t cover The Basware Network interface is outside of certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations Cyber Essentials (CREST)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Basware’s UK services are accredited by the Crown Commercial Service as a PSN Assured service for the handling of data classified up to OFFICIAL and for data marked as OFFICIAL SENSITIVE. Basware’s Marketplace holds ISO 27001 certification. A yearly CESG CHECK compliant penetration test is completed which is required to support the PSN Assured accreditation. All servers hosted within the Basware Commerce Network have a full anti-virus suite installed to detect and prevent the uploading and execution of malicious software. Data held in the system is protected using access control mechanisms that are tested yearly as part of the CHECK compliant penetration test, approved within the Crown Commercial Service issued PSN Assured accreditation. The remote management of the system and therefore access to the data has its own specific RMADS.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The Basware solution has been built to be managed by our customers and configuration changes would typically be carried out by the customer organisation. Basware's software as a service offering does not work on the approach that our customers are buying services from us for configuration changes. If Basware is required to make changes then a formal and documented change management process must be followed. Configuration changes are documented as change request tickets.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Systems are scanned for vulnerabilities at regular intervals. Customer production systems are scanned weekly. Customer and internal IT production systems are scanned internally with privileged system credentials for: Hard-to-find vulnerabilities and configuration errors, Installed software patches, and System configuration compliance against applicable benchmark standards. Risks are recorded in a risk register. The risk assessment includes business impact assessment, threat assessment, and vulnerability assessment. Risk management includes risk mitigation actions, risk avoidance, risk transfer, and risk acceptance in full or in part. Risk mitigation may include preventive, reactive, and corrective actions. Reactive and corrective actions are triggered by risk realisation.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach If production systems and business applications generate security events, for example both successful and failed instances of: User logon and logoff, changes in privileges, such as user and access management, software changes and removal, system and application configuration changes, and significant system events. Create, read, update, and delete access on customer data is monitored. Exceptional access (outside of standard data flow) generates security events. Security events are transferred to a secure monitoring system as soon as events are generated and buffered locally to prevent event loss in case of break in communications with the secure monitoring system.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Production environments are monitored for incidents and failures and incident tickets are opened for anomalies. Monitoring includes internal and external performance. Production environment activity is monitored by reviewing most common system and application log events in weekly meetings. Event logs are collected and stored. A service level agreement (SLA) for service availability and performance is in place. Performance against the SLA is monitored and measured.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • New NHS Network (N3)


Price £0.05 to £0.38 per transaction
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑