G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with Evolve Retail are still valid.
Evolve Retail

Online Ordering

To facilitate the online ordering of goods either directly with suppliers or using approval processes to permit authorisation.

Features

  • Real time ordering
  • Compliance
  • Mobile working
  • PWA Progressive Web Application
  • Notifications

Benefits

  • Access remotely ordering tools
  • Approvals on the go
  • Only order permitted items
  • Manage orders and fulfilment
  • Manage budgets

Pricing

£25,000 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@cc1a7fa1-2fa0-4ef1-baaf-1a51e5fe4788.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

7 3 3 7 8 7 1 3 2 1 0 2 9 6 0

Contact

Evolve Retail <removed>
Telephone: <removed>
Email: <removed>@cc1a7fa1-2fa0-4ef1-baaf-1a51e5fe4788.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Can be integrated directly into ERP platforms or other online platforms to deliver/surface existing capabilities.
Cloud deployment model
Private cloud
Service constraints
Requires hardware that can run NUXT and other JavaScript frameworks
Will need patching and updates to be applied
System requirements
  • Specific instance software license
  • Runs on Linuz

User support

Email or online ticketing support
Email or online ticketing
Support response times
We have a set of standard SLAs in place for Monday - Friday (08:30 - 17:30) and support 'as requested' over weekends.
Our response times vary according to the ticket severity and type from 30 minutes to 2 hours.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We provide the following support levels (with flexible SLA's) within our Foundations package which typically costs £750 per month:
- Email/Telephone Support
- Unlimited tickets
- Monitoring (24/7/365)
- Active firewall
- Reporting (Uptime/Availability/tickets)
- Customer Service manager

We can also tailor packages to specific customer requirements
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide onsite training and in 'application' guides using automated processes.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
We can provide this service and typically provide a data extract of all client data either through a DB copy or we can stand up an API for direct access.
End-of-contract process
The initial data extraction and subsequent data cleanse is included within the contract value.
Any further services or hosting of data would be additional

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Some features are not enabled such as complex reporting and export of data to CSV/Spreadsheets.
Service interface
No
API
No
Customisation available
Yes
Description of customisation
The following can be customised by the Evolve team:

Styling (look and feel)
Workflows
Permissions

The following can be customised by the Service user team:
Content
User set up
Budget allocation

Scaling

Independence of resources
We have intelligent load balancing capabilities allowing the services to scale - each one can be its own instance too providing walls between services.
In addition - our use of PWA means that a lot of the processing can happen 'browser side' to remove the load from the server.

Analytics

Service usage metrics
Yes
Metrics types
We provide the following per service:
Uptime and Availability
User usage

We provide at least the following per instance:
Orders placed
User journeys
Analytics
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
In-house
Protecting data at rest
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
No
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Either using the built in reports or via our help desk provision.
Data export formats
  • CSV
  • Other
Other data export formats
  • Direct Database copies
  • .XLS
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • XLS
  • Direct database access

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We use MS Azure and so are backed by their SLA's:
Last updated: March 2018

For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.

For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.

For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%.
Approach to resilience
This is available on request
Outage reporting
We use Monitis for monitoring - this delivers us uptime and usage reports.

We can also make this available to our clients directly.

Upon alert we notify clients and begin the process required for fail over if we deem it necessary,

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
This is restricted to named users and controlled by our in house support team.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
No
Security governance certified
No
Security governance approach
We adopt an ISO 27001 approach to security and will use the ISMS guidelines as a basis.
Information security policies and processes
Within the group we have a full suite of the policies implemented by all group businesses.
The group work closely to make sure that we adhere to the policies as required.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All of our base code is managed via BitBucket (GIT) and applied to the site following approval from either our product manager OR client.
Our solution is built up of different modules which are joined together for client requirements - these each have to be security, unit and developer tested before they are pushed to a staging environment.
Untested code cannot pass out of the environment to production.
Each deployment is managed by Deployer allowing us to review what is deployed and facilitate a roll back when required.
Vulnerability management type
Undisclosed
Vulnerability management approach
Threats are evaluated by severity and risk - this determines the response times allocated (High Severity and High risk being scheduled first)
Patches are deployed within days of receiving them
Information is gathered from a variety of online sources and also our own testing.
We use Foregenix to help us understand these vulnerabilities.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use several outside agency resources for this including (But not limited to):
Developer community
Monitis
Foregenix
MS Azure
When we are notified of a compromise this raises an alert on our ticketing system which then begins the process.
For a compromise we then alert our clients to allow them to decide whether or not to begin a 'problem process'.
Incidents are responded to within the SLAs provided.
Incident management type
Supplier-defined controls
Incident management approach
We have a comprehensive incident management process which includes a process for support to be instigated.
This details the route for support to be raised and notification process.
Where required we also can provide RCA reports post event.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£25,000 a licence a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@cc1a7fa1-2fa0-4ef1-baaf-1a51e5fe4788.com. Tell them what format you need. It will help if you say what assistive technology you use.