ID Medical Group Ltd

Simplicity Vendor Management Software (VMS)

Simplicity is a Procure-to-Pay system for managing internal and contingent workforce. It's designed to give clients greater control of staff spend using end-to-end vacancy filling, e-timesheets and staff compliance features.

Simplicity is delivered via a full implementation strategy uniquely configured to a customer’s needs and offering a complete support package.


  • Web based total procure-to-pay vendor management system
  • Quick rota/shift/vacancy creation with automatic tier cascade
  • Fast candidate submission via agency portal with compliance checks
  • Compliance management, monitoring and enforcing. Document expiry alerts and checklist
  • Fixed pay and charge rate cards, budget controls, cost forecasts
  • Real-time, bespoke reporting with dashboards and export functions
  • E-timesheets and consolidated e-invoicing with multi-level approval and self-billing
  • Supply chain management with vendor score carding and performance tracking
  • Staff Bank first and direct engagement options
  • Third party integration capabilities with ESR, rostering and finance packages


  • Quick implementation supported by our proven professional services team
  • Central system to manage your end-to-end booking process
  • Savings of up to 20% on temporary staff spend
  • Supports all models – Master Vendor/Managed Service, Staff Bank, PSL
  • Fixed rate cards and monitoring, to control your spend
  • Reduces administration time and cost. Fully auditable
  • Users of all abilities can easily perform tasks from anywhere
  • Real-time reporting provides full transparency of your supply chain
  • Reduces invoicing cost through consolidated self-billed invoicing
  • E-timesheets with automatic break deductions, reduce overpayments


£2500 per unit per month

Service documents


G-Cloud 11

Service ID

8 9 5 4 7 7 4 1 1 3 5 1 2 1 5


ID Medical Group Ltd

Stefan Thygesen

01908 552820

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
  • Minimum 5Mb Internet connection (10Mb recommended)
  • IE9/10/11, Edge or Google Chrome
  • Accessed through port 8080 (only)
  • 3Gb memory (recommend at least 250Mb free memory)

User support

Email or online ticketing support
Email or online ticketing
Support response times
One hour between 8.30 & 18.00, Mon- Fri. Five hours outside of this time
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Training, ongoing support and improvement is provided at a level agreed with each client
Support available to third parties

Onboarding and offboarding

Getting started
Initial demonstration with basic training followed by trial period of a demonstration system before full onsite training programme and follow up session onsite or via webinar to suit a client's preference.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • MS Visio
  • MS Project
  • MS Word
  • MS Excel
  • MS PowerPoint
End-of-contract data extraction
We will gain client requirements for data structure and content and normally deliver in CSV with associated files as needed.
End-of-contract process
A work package for service closure is created and will include the development of an extraction in line with the client's requirements prior to the service ending.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Drag and drop features are not supported on mobile devices.
Service interface
Description of service interface
The multi-page interface is web-based and adaptive and responsive. It has been designed to be clear and directive, making it easy to use and navigate. It is configurable to meet the needs of specific users and works with a number of assistive devices and tools.
Accessibility standards
None or don’t know
Description of accessibility
Development of the service is working towards the WCAG 2.1 AAA standard; however it has not been formally certified.
Accessibility testing
Where users have a requirement to use assistive technology we will undertake appropriate testing to ensure correct operation of the software with the assistive technology.
Customisation available
Description of customisation
Full workflow configuration including multiple authorisation levels for each stage. Fully configured output and exports including finance systems integration.


Independence of resources
The service has been designed from the ground up to be scalable to support traffic escalation. Both the server and bandwidth capacity and performance is continually monitored to ensure sufficient excess capacity. Spare capacity is maintained by taking preventative precautionary action in advance of any limits being reached.


Service usage metrics
Metrics types
Reports can be produced based upon any data held in the system. A requirements gathering exercise is used to establish client requirements and a suite of metrics is provided in line with this.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Clients have the ability to extract customised reporting and exports in various file types.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Pdf, .doc, .pli, .txt and .xls
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
Pdf, .doc, .docx, .png and .jpg

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
Advanced IP security access can be achieved controlling the access for users by locations. Data transmitted between Simplicity and the user is encrypted using an industry standard SSL certificate.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Anti-Virus/Trojan software is installed on every server. It is set to auto-update with the availability of new patches being checked every 4 hours. In addition to “On-Demand” scanning, a full system scan is performed on a daily basis. Any viruses found are automatically quarantined, and an alert is raised to enable investigation to be carried-out.
Servers are tightly firewalled, with only essential ports being open to the public. Intrusion detection software is run on servers to flag unusual activity or activity that may compromise security.
Operating System security patches are checked on a regular basis and automatically downloaded.

Availability and resilience

Guaranteed availability
Approach to resilience
The network infrastructure provides multiple levels of redundancy through the use of multiple bandwidth providers, and failover hardware for key systems.
Outage reporting
The service is monitored from multiple points-of-presence. This monitoring verifies site and system availability, as well as system components. Our partner knows instantly if any of the services go down and are alerted immediately; they notify ID Medical via telephone, who then contact clients via their preferred communication channel within agreed timeframes.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Individual access portals are provided for client / suppliers / management / workers with each portal having configurable user types as required for each instance.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ID Medical is certified to the Cyber Essentials Scheme.
  • Our software partner is ISAE3402 accredited.

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Information security policies and processes
ID Medical is certified to the Cyber Essentials Scheme. Our software partner is ISAE3402 accredited.

ID Medical has established Information Protection and Data Protection policies to ensure the protection of information assets and personal data within the custody of the business. High standards of confidentiality, integrity and availability of information are maintained at all times.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Where changes are required, these are submitted in writing (via email) and assessed by the project team, including for any potential performance or security impacts, and the requirement agreed with the client. Configuration changes are implemented within an agreed timeframe, having been tested prior to deployment into the live environment. Where bespoke development is required a quotation will be provided based on our SFIA rates.
All changes are logged.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Procedures are in place for protecting the service against vulnerabilities. These include a regular patching policy and updates from operating system vendors to rectify any potential vulnerabilities. Vulnerability scanning of the environment is undertaken and an approved software tool is used to check for any abnormalities.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
User access permissions are reviewed to ensure that only appropriate user access is granted relevant to the role and authority of the individual. Processes and systems are in place to monitor user accounts and all systems have access controls. User accounts are disabled when access is no longer required. Regular audits on user access exceptions are performed; all access is audited and event logs reviewed. Alerts are in place for unauthorised access attempts.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Regular security risk assessments are undertaken and steps taken to mitigate identified risks. These are documented in a register, along with recommended actions. All changes are audited.

Any security incident that does occur will be treated as high priority. Affected clients will be notified. Immediate steps will be taken to protect data and affected clients will be regularly updated. After the incident has been resolved a review will be undertaken to identify any lessons to be learned and any new measures that may be required to improve security.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£2500 per unit per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑