Evolve Retail

Online Ordering

To facilitate the online ordering of goods either directly with suppliers or using approval processes to permit authorisation.


  • Real time ordering
  • Compliance
  • Mobile working
  • PWA Progressive Web Application
  • Notifications


  • Access remotely ordering tools
  • Approvals on the go
  • Only order permitted items
  • Manage orders and fulfilment
  • Manage budgets


£25000 per licence per year

  • Education pricing available

Service documents


G-Cloud 11

Service ID

7 3 3 7 8 7 1 3 2 1 0 2 9 6 0


Evolve Retail

Maxi Ayres



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Can be integrated directly into ERP platforms or other online platforms to deliver/surface existing capabilities.
Cloud deployment model Private cloud
Service constraints Requires hardware that can run NUXT and other JavaScript frameworks
Will need patching and updates to be applied
System requirements
  • Specific instance software license
  • Runs on Linuz

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We have a set of standard SLAs in place for Monday - Friday (08:30 - 17:30) and support 'as requested' over weekends.
Our response times vary according to the ticket severity and type from 30 minutes to 2 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide the following support levels (with flexible SLA's) within our Foundations package which typically costs £750 per month:
- Email/Telephone Support
- Unlimited tickets
- Monitoring (24/7/365)
- Active firewall
- Reporting (Uptime/Availability/tickets)
- Customer Service manager

We can also tailor packages to specific customer requirements
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide onsite training and in 'application' guides using automated processes.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We can provide this service and typically provide a data extract of all client data either through a DB copy or we can stand up an API for direct access.
End-of-contract process The initial data extraction and subsequent data cleanse is included within the contract value.
Any further services or hosting of data would be additional

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Some features are not enabled such as complex reporting and export of data to CSV/Spreadsheets.
Service interface No
Customisation available Yes
Description of customisation The following can be customised by the Evolve team:

Styling (look and feel)

The following can be customised by the Service user team:
User set up
Budget allocation


Independence of resources We have intelligent load balancing capabilities allowing the services to scale - each one can be its own instance too providing walls between services.
In addition - our use of PWA means that a lot of the processing can happen 'browser side' to remove the load from the server.


Service usage metrics Yes
Metrics types We provide the following per service:
Uptime and Availability
User usage

We provide at least the following per instance:
Orders placed
User journeys
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Either using the built in reports or via our help desk provision.
Data export formats
  • CSV
  • Other
Other data export formats
  • Direct Database copies
  • .XLS
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • XLS
  • Direct database access

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability We use MS Azure and so are backed by their SLA's:
Last updated: March 2018

For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.

For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.

For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%.
Approach to resilience This is available on request
Outage reporting We use Monitis for monitoring - this delivers us uptime and usage reports.

We can also make this available to our clients directly.

Upon alert we notify clients and begin the process required for fail over if we deem it necessary,

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels This is restricted to named users and controlled by our in house support team.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified No
Security governance approach We adopt an ISO 27001 approach to security and will use the ISMS guidelines as a basis.
Information security policies and processes Within the group we have a full suite of the policies implemented by all group businesses.
The group work closely to make sure that we adhere to the policies as required.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All of our base code is managed via BitBucket (GIT) and applied to the site following approval from either our product manager OR client.
Our solution is built up of different modules which are joined together for client requirements - these each have to be security, unit and developer tested before they are pushed to a staging environment.
Untested code cannot pass out of the environment to production.
Each deployment is managed by Deployer allowing us to review what is deployed and facilitate a roll back when required.
Vulnerability management type Undisclosed
Vulnerability management approach Threats are evaluated by severity and risk - this determines the response times allocated (High Severity and High risk being scheduled first)
Patches are deployed within days of receiving them
Information is gathered from a variety of online sources and also our own testing.
We use Foregenix to help us understand these vulnerabilities.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use several outside agency resources for this including (But not limited to):
Developer community
MS Azure
When we are notified of a compromise this raises an alert on our ticketing system which then begins the process.
For a compromise we then alert our clients to allow them to decide whether or not to begin a 'problem process'.
Incidents are responded to within the SLAs provided.
Incident management type Supplier-defined controls
Incident management approach We have a comprehensive incident management process which includes a process for support to be instigated.
This details the route for support to be raised and notification process.
Where required we also can provide RCA reports post event.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25000 per licence per year
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑