ID Medical Group Ltd

Simplicity Vendor Management Software (VMS)

Simplicity is a Procure-to-Pay system for managing internal and contingent workforce. It's designed to give clients greater control of staff spend using end-to-end vacancy filling, e-timesheets and staff compliance features.

Simplicity is delivered via a full implementation strategy uniquely configured to a customer’s needs and offering a complete support package.


  • Web based total procure-to-pay vendor management system
  • Quick rota/shift/vacancy creation with automatic tier cascade
  • Fast candidate submission via agency portal with compliance checks
  • Compliance management, monitoring and enforcing. Document expiry alerts and checklist
  • Fixed pay and charge rate cards, budget controls, cost forecasts
  • Real-time, bespoke reporting with dashboards and export functions
  • E-timesheets and consolidated e-invoicing with multi-level approval and self-billing
  • Supply chain management with vendor score carding and performance tracking
  • Staff Bank first and direct engagement options
  • Third party integration capabilities with ESR, rostering and finance packages


  • Quick implementation supported by our proven professional services team
  • Central system to manage your end-to-end booking process
  • Savings of up to 20% on temporary staff spend
  • Supports all models – Master Vendor/Managed Service, Staff Bank, PSL
  • Fixed rate cards and monitoring, to control your spend
  • Reduces administration time and cost. Fully auditable
  • Users of all abilities can easily perform tasks from anywhere
  • Real-time reporting provides full transparency of your supply chain
  • Reduces invoicing cost through consolidated self-billed invoicing
  • E-timesheets with automatic break deductions, reduce overpayments

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements
  • Minimum 5Mb Internet connection (10Mb recommended)
  • IE9/10/11, Edge or Google Chrome
  • Accessed through port 8080 (only)
  • 3Gb memory (recommend at least 250Mb free memory)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times One hour between 8.30 & 18.00, Mon- Fri. Five hours outside of this time
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Training, ongoing support and improvement is provided at a level agreed with each client
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial demonstration with basic training followed by trial period of a demonstration system before full onsite training programme and follow up session onsite or via webinar to suit a client's preference.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • MS Visio
  • MS Project
  • MS Word
  • MS Excel
  • MS PowerPoint
End-of-contract data extraction We will gain client requirements for data structure and content and normally deliver in CSV with associated files as needed.
End-of-contract process A work package for service closure is created and will include the development of an extraction in line with the client's requirements prior to the service ending.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Drag and drop features are not supported on mobile devices.
Accessibility standards None or don’t know
Description of accessibility Development of the service is working towards the WCAG 2.1 AAA standard; however it has not been formally certified.
Accessibility testing Where users have a requirement to use assistive technology we will undertake appropriate testing to ensure correct operation of the software with the assistive technology.
Customisation available Yes
Description of customisation Full workflow configuration including multiple authorisation levels for each stage. Fully configured output and exports including finance systems integration.


Independence of resources The service has been designed from the ground up to be scalable to support traffic escalation. Both the server and bandwidth capacity and performance is continually monitored to ensure sufficient excess capacity. Spare capacity is maintained by taking preventative precautionary action in advance of any limits being reached.


Service usage metrics Yes
Metrics types Reports can be produced based upon any data held in the system. A requirements gathering exercise is used to establish client requirements and a suite of metrics is provided in line with this.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Clients have the ability to extract customised reporting and exports in various file types.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats Pdf, .doc, .pli, .txt and .xls
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats Pdf, .doc, .docx, .png and .jpg

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Advanced IP security access can be achieved controlling the access for users by locations. Data transmitted between Simplicity and the user is encrypted using an industry standard SSL certificate.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Anti-Virus/Trojan software is installed on every server. It is set to auto-update with the availability of new patches being checked every 4 hours. In addition to “On-Demand” scanning, a full system scan is performed on a daily basis. Any viruses found are automatically quarantined, and an alert is raised to enable investigation to be carried-out.
Servers are tightly firewalled, with only essential ports being open to the public. Intrusion detection software is run on servers to flag unusual activity or activity that may compromise security.
Operating System security patches are checked on a regular basis and automatically downloaded.

Availability and resilience

Availability and resilience
Guaranteed availability 99.5%
Approach to resilience The network infrastructure provides multiple levels of redundancy through the use of multiple bandwidth providers, and failover hardware for key systems.
Outage reporting The service is monitored from multiple points-of-presence. This monitoring verifies site and system availability, as well as system components. Our partner knows instantly if any of the services go down and are alerted immediately; they notify ID Medical via telephone, who then contact clients via their preferred communication channel within agreed timeframes.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Individual access portals are provided for client / suppliers / management / workers with each portal having configurable user types as required for each instance.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ID Medical is certified to the Cyber Essentials Scheme.
  • Our software partner is ISAE3402 accredited.

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards ISAE3402
Information security policies and processes ID Medical is certified to the Cyber Essentials Scheme. Our software partner is ISAE3402 accredited.

ID Medical has established Information Protection and Data Protection policies to ensure the protection of information assets and personal data within the custody of the business. High standards of confidentiality, integrity and availability of information are maintained at all times.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Where changes are required, these are submitted in writing (via email) and assessed by the project team, including for any potential performance or security impacts, and the requirement agreed with the client. Configuration changes are implemented within an agreed timeframe, having been tested prior to deployment into the live environment. Where bespoke development is required a quotation will be provided based on our SFIA rates.
All changes are logged.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Procedures are in place for protecting the service against vulnerabilities. These include a regular patching policy and updates from operating system vendors to rectify any potential vulnerabilities. Vulnerability scanning of the environment is undertaken and an approved software tool is used to check for any abnormalities.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach User access permissions are reviewed to ensure that only appropriate user access is granted relevant to the role and authority of the individual. Processes and systems are in place to monitor user accounts and all systems have access controls. User accounts are disabled when access is no longer required. Regular audits on user access exceptions are performed; all access is audited and event logs reviewed. Alerts are in place for unauthorised access attempts.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Regular security risk assessments are undertaken and steps taken to mitigate identified risks. These are documented in a register, along with recommended actions. All changes are audited.

Any security incident that does occur will be treated as high priority. Affected clients will be notified. Immediate steps will be taken to protect data and affected clients will be regularly updated. After the incident has been resolved a review will be undertaken to identify any lessons to be learned and any new measures that may be required to improve security.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2500 per unit per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑