Circular Wave

Circular Wave

Real-time Staff Bank and workforce management platform, with embedded Vendor Management System


  • Engage with your workforce through best-in-class mobile app
  • Establish a Staff Bank across any number of sites
  • Supports regional / shared bank by design
  • Single shifts, or long term vacancies with associated work patterns
  • In-app time sheets
  • Rapid payment (payroll integration, ESR or our own service)
  • Incentivisation and rewards
  • Compliance "passport" with automated checks
  • Embedded Vendor Management System for agency controls and auditing
  • Real-time reporting


  • Increase use of Staff Banks, saving money vs agency
  • Single point for managing Staff Bank and agency requests
  • Reduces time spent managing vacancies
  • Total transparency of agency rates through VMS
  • Advanced reporting allows for unparalleled insight and forward planning
  • Prevent candidate disengagement through irrelevant "spam" of shifts
  • Maximises fill rate through automation


£5 to £9 per user per month

Service documents

G-Cloud 10


Circular Wave

James Foxlee

0330 229 0085

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements
  • Mobile app versions: Android > 4.4 or iOS > 8
  • Web app: no support for IE < version 11
  • Email address required for all users

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Online tickets preferred: median response time < 20 minutes on standard SLA
Email: median response time < 4 hours on standard SLA
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Captioning
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels On-site system training and user onboarding support provided for 5 days as part of standard setup fee
Additional support days can be purchased at day rate
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started On-site training and user onboarding support provided as part of setup fee, additional support days can be purchased. User documentation provided.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Email request prior to end of contract, or 90 days after expiry
End-of-contract process Data extraction included in price of contract. Additional reports not provided without prior agreement and attract additional costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile app is for Candidates i.e. those applying for extra shifts, filling time sheets, and getting paid.
Web app is for Admins i.e. those creating shifts, booking Candidates, approving time sheets, managing users and permissions, and generating reports.
Accessibility standards None or don’t know
Description of accessibility Captioning
Accessibility testing None
Customisation available Yes
Description of customisation All major functionality can be disabled or enabled depending on customer workflows and requirements


Independence of resources Microservice architecture, automatic scaling, system-wide reporting and usage alerts


Service usage metrics Yes
Metrics types Logging and in-app reporting of all requests made through system. Customer support SLAs including median response time and time to close (in-app chat only)
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Email request
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We strive for 99.999% uptime. We guarantee 99.5% uptime in our SLA, with 1 month service credit for failing to meet this target.
Approach to resilience Available on request
Outage reporting Public dashboard, email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels Highly granular access permissions exist for all actions that can be taken in the system, for all users of the system. Permissions can only modified by superusers with the permissions to do so. Those users without View permissions on a feature cannot see it or access it.
Access restriction testing frequency At least every 6 months
Management access authentication Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards CSA CCM version 3.0
Information security policies and processes Granular access controls supported by policies with clear escalation / reporting lines to defined roles

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All proposed change requests are assessed for user impact, system impact, complexity and urgency. New change requests are prioritised and approved by designated individuals. Development carried out and tested on separate environment, with automated and manual QA processes. Approved change requests assessed on a daily basis using agile / scrum methodology to ensure correctly prioritised.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Server vulnerability is handled by third party supplier (AWS) to defined standards, including security and operating system patching schedules. Code review ensures key application vulnerabilities (e.g. OWASP Top Ten) are protected against. Newly identified vulnerabilities are patched urgently depending on priority.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach See previous
Incident management type Supplier-defined controls
Incident management approach Documented incident management process of detection, internal and external alerting, assessment, immediate response, testing and monitoring, and post-event response and analysis.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5 to £9 per user per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑