XCD HR Limited

XCD HR and Payroll Solution

XCD is a full suite of cloud HCM solutions, delivered as a single-solution from one database to provide full employee relationship management. Functionality includes Gross & Net (UK) Payroll, Time Management, Expenses/Compensation/Reward, Learning/Performance/Appraisals, Recruitment, and associated functions (Workflow, Reporting, BI, Automation, Document management, mobile) for HR Professionals, Managers and Employees.


  • Single-solution HR and Payroll suite delivering complete Employee Relationship Management
  • Built on world class Salesforce Lightning platform
  • Full UK net payroll for public sector and mid enterprise
  • Full support for single sign on (SSO)
  • Accessible through desktop browser or mobile
  • ERP integration for Finance, PSA, time clocking, biometrics and more
  • Role based access for all employees
  • Full suite covering full employee lifecycle (recruit to retire)


  • Single solution provides seamless collaboration across all functions
  • Data automation has saved customers 1000’s of hours per year
  • 5.5 days per month can be saved on reporting
  • Global Dashboards allow HR to provide strategic support
  • Manage complex and different contract terms and working hours
  • No re-keying of data required between HR and Payroll
  • Update personal data anywhere, any time using the mobile app
  • Native Salesforce cloud app allowing anytime, anywhere access


£1.85 to £8.35 a person a month

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@peoplexcd.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 2 8 6 3 3 4 4 5 7 6 1 5 4 5


XCD HR Limited Rachel Mudd
Telephone: 08000432923
Email: info@peoplexcd.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
XCD Employee Relationship Management (ERM) Suite is built on the Salesforce platform and is compatible with organisations running Salesforce.com and associated applications, and as a standalone solution leveraging the Salesforce Lightning platform.
Cloud deployment model
Public cloud
Service constraints
Planned maintenance will be in line with the Salesforce maintenance schedule and policy.

Details can be found here: https://help.salesforce.com/articleView?id=000176208&type=1
System requirements
  • Chrome or Edge Browser
  • An Octane score of 20,000 (30,000 recommended)
  • Network latency of 200 ms or lower (150 ms recommended)
  • Download speed of 1 Mbps (3mps recommended)
  • At least 5GB RAM, 2GB available for browser tabs
  • 8GB Ram, 3GB available for browser tabs recommended

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support hours are UK Monday to Friday 09:00 to 17:30
Excludes Public Holidays.

Resolution times as follows:

Emergency: 24 Hours Critical: 48 Hours Normal: 5 Business days - Workaround (if available) or considered for future release.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
XCD provide the following levels of support:

Standard Support - Access to our Support Team for software issues and queries (included in software fee).

Payroll Support - As per Standard but with enhanced access to the Payroll Support team for technical and payroll processing queries (additional cost per annum - dependant on employee numbers and payrolls).

Premium Support - Additional cost which provides Standard Support plus a number of hours of free consultancy for training, report writing or simple system configuration (additional cost per annum).
Support available to third parties

Onboarding and offboarding

Getting started
Throughout the sales cycle, your dedicated Business Development Manager will get to know your teams, your processes and your strategies and will work with the professional services team to scope the project requirements. Upon commencement of the project, our sales and professional services teams will arrange a formal kick off meeting with the client to ensure continuity as we move into the implementation phase.

We will walk through the outline project plan, methodology, RACI, governance and communication and outline the steps for the implementation which follow our methodology of :

Quality Assure
Data Migration
Systems Handover and training
User Acceptance Testing
Go Live Readiness
Go Live Support and Handover
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
When a contract comes to an end we will work with customers to assist them in how to extract any or all of their data from the XCD system.

This will take the form of consultancy to advise customers in what tools are available to export data OR to actually extract the data on behalf of the customer.

This is a chargeable consulting activity which would be scoped and estimated on an individual customer basis and this cost is not included in the ongoing cost of the contract with XCD.
End-of-contract process
If a customer issues XCD with notice that they wish to terminate the contract, we will arrange for a conference call with the customer and appoint an XCD Project Manager to work with the customers Project Manager to facilitate the smooth off-boarding process.

The project managers will discuss timelines for items such as "Last Transaction Date" and "Data Export Options". A Project Plan or set of agreed activities will then be created and resources assigned to carry out the activities from both XCD and the customers perspective.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
XCD's mobile app is tailored specifically for mobile phones, and allows users to easily manage tasks including expenses, leave, authorisations and approvals, and view payslips.

In addition to this, the entire XCD application can be accessed via a tablet through the browser interface.
Service interface
Description of service interface
XCD has multiple methods for integrating to and from the application:

1) CSV/Flat Files - Predominantly used for data import or integrating external systems where real time interfaces are not required.
2) Reporting Outputs - Typically used where users wish to inspect the data prior to import to another system, for example GL reporting to Finance.
3) Pseudo Real Time Rest API - Used for integration where Employee, Work Patterns, Leave and associated holiday data is required.
Accessibility standards
None or don’t know
Description of accessibility
Access through either:

Native files (for example CSV)
As a report output
Rest API with JSON through a third party integration tool such as Mulesoft
Accessibility testing
Accessibility testing
XCD's service interface is data only and used for integration into applications. Therefore we have not tested with assistive technology.
What users can and can't do using the API
The API is delivered as an extension package associated with the XCD core package.

The API is REST utilising JSON to deliver its payload.

The API covers standard functions in the XCD application relating to:
- Leave
- Payroll
- Overtime payments
- Expenses
- Timesheets
- Performance management

Users can call the API to request information from the XCD application, or insert data into the XCD application.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The XCD Suite of solutions is highly customisable as it is built on the Salesforce Lightning platform.

System Administrators can customise the solution in the following ways:
Objects and Fields
New Screens (modify existing or build new)
Workflows and Processes Reports
Analytics and BI Process Builders Users
Roles and Access.


Independence of resources
The current daily transaction average for Salesforce platform is regularly 6 billion, consistently at sub 250ms response time within the Salesforce environment.

Within each logical system, we use load balancers to distribute load among multiple web and application servers for additional scalability and redundancy. The multi-tenant application design, combined with the fastest servers and high-performance networking infrastructure available, guarantees fast performance.

In addition to scaling for growth, Salesforce continually strives to improve the average response time of our services and, to back up our claims, full details of transaction volumes and response times are publicly reported in real-time at https://status.salesforce.com/.


Service usage metrics
Metrics types
The service includes various metrics to monitor usage and adoption of the service, for example, last login, login duration etc.

For infrastructure detail, metrics are available at https://trust.salesforce.com, which provides performance and availability information for the entire service.

For specific metric monitoring and for more in-depth detail customers can extend capability through the use of Event Monitoring. For example - which applications are being used, by who, how are they being used, when, where from and are there performance issues? This data can be used to improve adoption, security and performance of the application.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Classic Encryption: native Salesforce application feature which can be used to encrypt specific custom fields. There is no additional cost for this, but it does impact some application functionality.

More information here: http://sfdc.co/FieldEncryption

Platform Encryption:

Platform Encryption allows customers to encrypt data stored through Salesforce such as: files and attachments, certain standard and custom fields, and use an advanced key management system. It uses native strong, standards-based encryption. Controls help to protect data, which include the use of derived data encryption keys and customer-controlled key rotation, generation, and destruction process. Available for an additional cost.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export their data using the standard Salesforce tools or can request that XCD extract the data on their behalf.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
By default, customers connect to the service over the public internet with all transmissions between the user and the Salesforce Services secured using TLS 1.1 or higher and encrypted using 256 or 128-bit encryption.

The services use International/Global Step Up SSL certificates with 2048-bit Public Keys. Web Service callouts can be secured using TLS, as well as with two-way TLS.

In addition, customers can partner with a selection of supported ISPs for a more direct connection to the Salesforce service. In the UK, BT are one such ISP. This service is known as Salesforce Express Connect.
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Customer data is protected within the Salesforce service through a mature, standards-based defence in-depth security architecture. Logical and physical access is strictly controlled and monitored. The controls used are in scope for the various security certifications the company has, and audited regularly by third parties.

Controls such as firewalls, intrusion detection, anti-malware, file integrity monitoring are augmented with extensive monitoring to provide robust prevention, detection and response. Internal and external, as well as third-party vulnerability scanning and application penetration testing are also in place.

Availability and resilience

Guaranteed availability
The Salesforce Services are designed with the concept of continuous improvement and Trust (e.g. Availability, Performance and Security) in the infrastructure. Salesforce uses commercially reasonable efforts to make its on-demand services available to its customers 24/7, except for (minimal) planned downtime, for which Salesforce gives customers prior notice, and force majeure events.

Excellent availability statistics (historically 99.9%) are critical to Salesforce's customers’ success and to the success of Salesforce as a company. Salesforce generally does not focus on a specific percentage, as we do not believe our job on availability will ever be “complete”. Live and historical statistics on Salesforce system performance are publicly published at: https://trust.salesforce.com/en/#systemStatus, and further detail can be shared upon request and NDA.
Approach to resilience
To maximise availability, the service is delivered using a world-class data centre infrastructure consisting of a primary production data centre, a full capacity secondary data centre for hosting the service provided to customers.

The infrastructure utilises carrier-class components designed to support millions of users. Extensive use of high availability servers and network technologies, and a carrier-neutral network strategy, help to minimise the risk of single points of failure, and provide a highly resilient environment with maximum uptime and performance.
Outage reporting
Outages are publicised on a public portal and via email alerts. Escalation policies are established and maintained as Salesforce's goal is to rapidly restore service. In the event of an extended outage, periodic updates are provided in near real time to customers via the trust.salesforce.com dashboard site and in addition, service notifications are provided to nominated contacts via various channels such as email.

Update frequency for notifications is dependent on the customer support service plan.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Salesforce has a comprehensive set of authentication mechanisms that customers can choose from. These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.
Access restrictions in management interfaces and support channels
Management access for service support and delivery is done through multiple layers of controls including, but not limited to, multiple 2 factor authentication, bastion host and proxy control and segregation of duties. These controls are in scope for SSAE-18 auditing and evidences through the SOC 2/ISAE3402 report.

Access to the management interface for the customer to configure their salesforce environment, is configured by the customer themselves. The options are outlined in the above response. Robust application design and testing ensures that users without administrative access rights cannot access more sensitive areas of the application.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Customers can choose from a comprehensive set of authentication mechanisms.

These include the inherent username and password option, Single Sign-on, Social Sign-on through another application, such as google, integration with existing identity management systems a customer may have, 2 Factor Authentication, and the application can also act as a Service Provider or Identity Provider for SSO integration using SAML.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
XCD have a formal approach to Security Governance which has been enhanced under our review of processes following the introduction of GDPR. This includes physical access security, hardware security, printing restriction and the introduction of Security Incidence Review processes. We achieved Cyber Essentials Plus in October 2019.
Information security policies and processes
We have a robust information security policy and set of defined processes which are externally audited.

These include:
All locations protected against cyber attack through physical and internet access controls.
Secure by design hardware and infrastructure with up to date patching policies.
Defined policies for the storage and retention of sensitive and PII data Incident and breach management process.
XCD achieved Cyber Essentials Plus in October 2019.
Training and Awareness for all staff and customers.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Infrastructure and Policy change management is through the exec team. Development change management is covered in our SDLC and enacted through our specification process, tooling and release management process.

Client environment utilises a change management object where changes to the Org are recorded and agreed with the client. We also have tooling that allows us to audit any changes to the environment on request or prior to release.

Client issues and requests, we use Case Management where each request is stored, communicated and documented. In implementation, the Project Manager is responsible for Change Management and will keep a project log.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Salesforce has various vulnerability management processes in place around internal scanning, external scanning & vendor patch release management.

Technical operations and security personnel monitor vulnerability alerts and patch release notifications from vendors and other sources. There are associated evaluation and deployment processes in place. Salesforce also regularly performs self-vulnerability assessments using various tools and techniques, such as Qualys.

In addition, Salesforce uses external service providers to perform an application vulnerability assessment after each major release (three times annually) and network vulnerability assessments quarterly. There is also an on-going external application scanning service used.

Further detail on responsible disclosure here https://trust.salesforce.com/en/security/responsible-disclosure-policy/.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Salesforce's Computer Security Incident Response Team (CSIRT) uses a security event logging and management system to manage the alerts and logs generated by devices on our network and provide protective monitoring. The system consists of a central database, management server, and distributed agents.

The distributed agents receive events from network devices and systems (firewalls, IDS, routers, switches, hosts, file integrity, and database monitoring) on the network, then compress, encrypt, and transmit the data to the management server and database for processing. Correlated events are configured to generate alerts and logs which are monitored on a 24/7 basis.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Salesforce has a formal Incident Management Process that guides the Salesforce Computer Security Incident Response team in investigation, management, communication, and resolution activities.

Salesforce will promptly notify the customer in the event of any security breach of the Service resulting in an actual or reasonably suspected unauthorised disclosure of Customer Data. Notification may include phone contact by Salesforce support, email to customer's administrator and Security Contact and public posting on trust.salesforce.com.

Salesforce.com is a member of the prestigious Forum of Incident Response and Security Teams (FIRST) and complies with the FIRST framework and best practices for incident response.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£1.85 to £8.35 a person a month
Discount for educational organisations
Free trial available
Description of free trial
Trial version includes access to all functionality within XCD solution for a maximum of four weeks.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@peoplexcd.com. Tell them what format you need. It will help if you say what assistive technology you use.