Fincore Limited

Finworks - Asset Management System

Finworks Asset Management Platform allows organisations to create, operate and maintain effective asset management processes for a variety of asset types such as buildings or facilities, equipment, software, intellectual property and contractual rights and similar financial assets. The data fabric solution provides the opportunity for proactive management throughout their lifecycle.


  • Intelligent data discovery providing a simple solution to manage assets
  • Ingestion of a variety of data from structured/unstructured sources
  • Smart, automated data onboarding with quality assurance processes
  • Supports accelerated data modelling, mining and querying
  • Enables the creation of user defined reports, views and dashboards
  • Secure data distribution to downstream applications, processes and platforms
  • High performance solution offering scalability and availability
  • Secure collaboration with suppliers and other agencies
  • Compliant to Government and Central Banking security standards
  • Open APIs for easy integration to other systems


  • Protect asset value, manage risks and optimise utilisation
  • Brings transparency to decision-making, licence management, vendor management and audits
  • Easy to configure, providing quality information to effectively manage assets
  • Reliable data stewardship and data governance
  • Cloud agnostic - public, private or hybrid cloud
  • Adherence with industry standard advanced analytics and business intelligence tools
  • Based on open-source software and architecture
  • No need for specialist Big Data or IT development skills
  • Significant reduction in implementation time due to Data Discovery
  • Effortless integration to other systems, including legacy data silos


£4,700 a licence a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

9 0 0 5 1 7 7 7 8 7 5 9 9 8 9


Fincore Limited Mike Ellis
Telephone: +44 (0)207 397 0620

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
Please see our Service Definition document for details of the service. This includes a section on customer technical requirements and also details support and maintenance arrangements.
System requirements
  • Browser as per our browser specifications
  • Reasonably modern PC/mobile device
  • Sufficient bandwidth to access the service
  • Sufficient bandwidth to process data if in separate data centre

User support

Email or online ticketing support
Email or online ticketing
Support response times
In accordance with an agreed support SLA. Normally within 1 Hour on weekdays during normal UK office hours but can cover 24/7/365.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Yes, at an extra cost
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Tested with standard browsers and to meet accessibility standards.
Onsite support
Yes, at extra cost
Support levels
We customise our support arrangements according to your individual needs. Support can be provided on either an SLA or capped effort basis, with support hours and SLA terms agreed according to your specific requirements. Support is provided by an expert team, and we have a reputation for building systems that are easy to use and require little support. Please see our Service Definition document and Pricing for further details of our support arrangements.
Support available to third parties

Onboarding and offboarding

Getting started
Our service is designed to be extremely easy to use, to the extent that some customers do not feel any need to train their staff to use it. We can however provide training, train-the-trainer support for in-house training, and relevant documentation as needed. We can also provide a full range of onboarding, configuration and other implementation services. Please see our Service Definition and Pricing documents for details.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Finworks can provide an extract of the database in XML, CSV, ODF and JSON format and any stored files in their provided document format. Alternatively, users can directly extract all customer data and files using the service's API.
End-of-contract process
Please see the Exit Plan section of our Service Definition document.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Our mobile service is provided through responsive design. All core features can be used on mobile devices that meet the browser requirements, but certain functions (e.g. where large amounts of data need to be viewed on screen) are best undertaken on a PC or tablet with a suitable screen size.
Service interface
Description of service interface
All key capabilities can be accessed and integrated through our service interface. This allows seamless integration with other services, platforms, websites, apps and applications.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Tested with standard browsers and audited through a third-party company.
What users can and can't do using the API
The service provides a RESTful Application Programming Interface (API) which allows programmatic control of any user and service management function. This includes creating, updating and extracting data (all customer data can be extracted or input using the APIs); (ii) creating and modifying queries, process flows, triggers, transformations, layouts and other objects important to system and user experience; and (iii) programmatic control of system and user management including operational monitoring. All the API calls are documented in a repository with HTML views and pdf print capabilities, with relevant sample calls and example code to aid comprehension . A test suite, or 'sandbox', can be made available as needed.
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The service provides broad data management capabilities that can be very extensively configured and customised by users.


Independence of resources
Customers have a dedicated instance of our service and a dedicated virtual machine(s), network and storage resources which can be adjusted as needed by the customer. Monitoring and planning services are available to assist with adapting to changing resource requirements. All transactions are queued to allow the system to regulate service quality. Individual transactions can also be limited to a maximum resource requirements usage. Users and user groups can also be limited to resource quotas.


Service usage metrics
Metrics types
Finworks has standard service metrics which can be amended to or customised to specific requirements. The service metrics can be defined by the customers to suit their KPIs. We can extract a very broad range of data from: (i) our application; (ii) our hosting environments; and (iii) our support systems. For example, our workflow system provides visualisation of process cycle times and bottlenecks.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
We apply a defence in depth approach to the hosting environments we provide.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Our application has extensive data export capabilities that can be used to export all customer data and files. There is also an extensive API suite that provides similar capabilities.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • XML
  • PDF
  • JSON
  • TXT
  • DOC
  • DOCX
  • XLS
  • XLSX
  • JPG & PNG
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • XML
  • TXT
  • PDF
  • JPG
  • PNG
  • DOC
  • DOCX
  • XLS
  • XLSX
  • JSON

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
IP address whitelisting can be applied to customers. Where applicable, highly sensitive data could also be shipped in an encrypted format (in addition to transmission using TLS).
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
We apply a defence in depth approach within the hosting environments we provide.

Availability and resilience

Guaranteed availability
Depending on the hosting and support arrangements in place, we can offer SLA-governed availability levels of up to 99.9% (excluding scheduled downtime).
Approach to resilience
We offer a range of resilience options. Please see our Service Definition document.
Outage reporting
We agree outage reporting arrangements in the service level agreement (SLA) with individual customers to fit in with their own processes on a per contract basis.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Access over government networks could also easily be provided; all the necessary security provisions are already in place. Likewise, identity federation would be easy to provide and is on our roadmap for delivery over the G-Cloud 12 framework period.
Access restrictions in management interfaces and support channels
Our preferred platform is AWS however our solutions are cloud agnostic and we would be happy to provide the software on any cloud platform. For our standard service, the AWS Management Console is used to manage the AWS accounts and requires 2 factor authentication. Support access to the AWS infrastructure and servers is via 2-factor authentication across a VPN connection. This VPN is established using public key authentication. Username and password are required for access into the active directory domain. Where hosting with an alternative cloud provider or on premise is requested, access arrangements will be agreed with the customer.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
We have an extensive range of authentication services as indicated above.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All Fincore's activities are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials scheme and Data Security and Protection toolkit.
Information security policies and processes
Fincore is accredited to the ISO27001 ISMS standard, with a regular programme of internal and external (independent) audit to monitor and maintain compliance. Fincore is also accredited to the ISO9001 quality management standard, and is registered with the Information Commissioner's Office for data protection.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Every customer fully controls the configuration of their service-instances. When Finworks makes changes on behalf of customers: a business analyst will capture requirements which will be implemented by trained specialists; a solution architect and our QA team review requirements prior to design, then review and test proposed detail configuration changes prior to deployment ensuring functional, SLA, and information-security quality criteria are met. Change management processes for configuration changes are agreed with customers. For software development, our SaaS development process follows best practice standards for robust, secure trusted cloud software. The change process is recorded in a centralised change management portal.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We undertake threat reviews when we make changes to our software or infrastructure and when new threats are made public. We carry out regular penetration testing and our CSO monitors security information sources. Our DevOps team are responsible for addressing public threats and the system architects would address any vulnerabilities identified based on the area of the threat. The speed of patching is proportionate to the level of threat identified.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We have an IDS/IPS in place with anti-virus and anti-malware software on all Windows servers. We collate log files centrally from all relevant system components, and these are reviewed daily by the DevOps team. When unusual activity is identified, it is escalated to our system architects who, in consultation with our CISO, will determine the appropriate course of action. DarkTrace and Cisco Firepower are used for monitoring the network activity.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
When incidents occur, they are triaged by a Service Manager who co-ordinates the response in accordance with our ISO27001 policies and procedures. Our team and customers may report incidents by phone, email or directly and all incidents are logged in our centralised incident management portal. Major incidents will be escalated immediately to senior management level. The Service Manager provides regular updates and an incident report on resolution.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


£4,700 a licence a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.