Zellis UK Limited


Provision of HR & Payroll software on a UK based SaaS platform. Functionality includes comprehensive and flexible HR features, rich Payroll including all UK and ROI legislative requirements with facilities for multi-post employees, back-pay calculation etc. and a highly functional and intuitive self-service portal for both employees and line managers.


  • Integrated modular platform offering single source of truth
  • Fully responsive design empowering, anytime, anywhere, any device access
  • Comprehensive Real-Time Dashboards and analytics tailored to your needs
  • Powerful workflow engine to drive improved business processes
  • Configurable, scalable, agile solution underpinning ever changing business needs
  • 40 years Public Sector payroll knowledge and legislative compliance
  • Ability to outsource HR & Payroll capability
  • SaaS delivery from secure, resilient UK based Data Centres
  • Significant R&D investment driven by customer experience and market trends


  • Comprehensive, accurate, real-time information, enabling evidence-based decisions
  • Enhanced employee engagement, driving productivity, retention and cost reduction
  • Easy, intuitive, faster and more agile decision making
  • Underpinning continual business process improvement and cost reduction
  • Your investment is protected long term
  • De-risk your decision, and your organisation
  • We understand your public-sector payroll needs and complexities
  • Focus on core competencies and strategy whilst reducing cost
  • Low risk, secure and continually compliant data location
  • Highly engaged collaborative customer base benefiting directly from targeted investment


£0.59 per person per month

Service documents


G-Cloud 11

Service ID

9 5 4 0 0 7 0 2 3 8 7 1 4 3 2


Zellis UK Limited

Ricardo Arruda

01733 555777


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None.
System requirements
  • Customer to provision suitable firewall-router to initiate IPSec VPN
  • Customers to use supported OS & Browser combination
  • Supported browsers: IE11, Edge, Chrome, Firefox, Safari (on apple)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Tickets can be raised on-line via the Zellis Extranet 24/7 however incidents for support will only be responded to during standard working hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web Chat (Live Chat) is available Monday to Friday 9:00 to 17:00 (UK time) excluding bank and public holidays in England for advice and guidance.
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels For the Zellis SaaS solution, systems are generally available for on-line use 24 hours per day, 7 days per week, excluding certain times during which housekeeping and other operational activities take place, e.g. upgrades to the hosting infrastructure, database export routines etc.
Zellis will commit up to 99.5% availability within the Core Service Availability hours, which are 08:00 to 18:00 Monday to Friday except UK Bank and Public Holidays and any downtime for application upgrades.
Support is provided against a set of Service Level Targets and underpinned by our Support Service Guide.
Priority 1: Critical: Guideline Response Time – 1 hour: Guideline Resolution Time – 4 hours
Priority 2: Urgent: Guideline Response Time – 1 day: Guideline Resolution Time – 5 days
Priority 3: Important: Guideline Response Time – 1 day: Guideline Resolution Time – 20 days
Priority 4: Non-urgent: Guideline Response Time – 1 day: Guideline Resolution Time – not before next major release.
We provide one level of support included within the annual maintenance fee.
Support is provided by a bank of skilled support consultants with a variety of skills to meet the diversity of support calls.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Zellis’ Standard Implementation Methodology is known as PIM (Process Implementation Method). PIM has been developed to standardise how Zellis implement products and services, drawing upon many years of experience and best practice. The Zellis project method is based on key principles from PMBOK project methodologies.
PIM is split into 5 stages; Prepare, Elaborate, Build, Deploy and Operate.
Knowledge Areas
As well as the project being broken down into the five stages, it is also split into three main knowledge areas; Project Delivery System (PDS), Process Configuration (PC) and Operations Readiness (OR). An overview of each is as follows:
● Project Delivery System
 Drives the implementation through the PIM phases using quality tollgates as entry points
● Process Configuration
 Configures the HR and/or Payroll solutions to client specifics
● Operations Readiness
 Prepares the resources of customer and Zellis to deliver the required function/service
Service documentation No
End-of-contract data extraction Upon contract termination, data will be returned to the customer in a contractually agreed format.
End-of-contract process A mutually agreed exit plan is put in place, ensuring continued Account Management, Support and Maintenance for the client until contract expiration. The customer data shall then be returned in whole, or destroyed in line with GDPR requirements.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are two user interfaces:

1) For managers and employees, we provide an intuituve fully responsive interface for self service users across any device.

2) For core HR & Payroll administrators, we provide a comprehensive interface designed for full screen browser access.

Both are browser based, requiring no desktop application.
Service interface No
What users can and can't do using the API A publicly accessible, openly documented API is available. The ResourceLink API is a SOAP and WSDL based API (being transposed to REST) that exposes both inbound and outbound notification services between ResourceLink and third-party applications to aid customers in the realisation of their SOA strategy. This is offered as an optional part of ResourceLink.

The ResourceLink API allows online systems to receive changes to employee, post, post holding, vacancy and application data on a configurable near real time basis, typically every five minutes. Likewise, the API exposes web services that allows other systems to query ResourceLink based post-to-post security and update basic employee details that may be maintained or entered via another system.
API documentation Yes
API documentation formats
  • PDF
  • Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can customise ResourceLink the following ways;

1) Reporting Dashboards
2) Branding
3) Menus
4) Field Names
5) MyForms
6) Workflows & Alerts
7) Security Profiles
8) Approvals

This is not an exhaustive list and will be determined by the modules utilised by the user.

Additionally, we also provide User Defined Fields and Screens.
Two types of user defined screen are available:
● Simple Screens – this type of user defined screen allows basic data entry by the operator. The systems administrator can define the number of fields on the screen, the order of the fields on the screen, mandatory fields and validation.
● Key Dependent Screens – This type of user defined screen has the added capability of holding current and previous lines of information, thus allowing for the retention of historical amendments.
Both the user defined and standard screens can be included in workflow tasks in whatever sequence best suits your workflow processes. User defined fields and screens, with their attaching characteristics, are maintained through upgrades and releases.


Independence of resources Peak demands are smoothed using dynamic resource re-allocation and load balancing capabilities within the infrastructure. Each virtual server has a variable allocation of CPU which may be flexed dynamically. This means that if a virtual server is quiet, it can donate resources to others that require it, and then return them. Resilient Content Switches are also used to load balance Reverse Proxy servers that directs to the delivery tier to provide the application. Zellis ensures that the baseline specifications for each virtual server reflect actual usage, and that Storage Pools have reserves based on real usage statistics.


Service usage metrics Yes
Metrics types New Relic allows monitoring of application performance (response times, throughput, network times, etc.); it also monitors the status of the different technical components of the application (application servers, databases) and the resources used (memory, CPU, etc.). Results can be shared with customers at the regular Service Review meetings. It is hoped that in future we will be able to provide customers with relevant APDEX scores via the New Relic tool. APDEX is essentially a response time satisfaction scoring system, on a sliding scale from 1 to 0. During our trials, we have observed a typical score of 0.98.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can export data through standard export routines, such as costing extract, along with being able to export any item of data, including user defined fields, via the reporting tool.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • DOCX
  • XLS
  • XLSX
  • RTF
  • ODT
  • ODS
  • XML
  • PPTX
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks In addition to using TLS/SSL encryption for browser traffic, NGA encapsulates data for core users within IPSec compliant VPN tunnels dedicated to each buyer providing double encryption. These are also used as a “utilities” pipe carrying additional traffic. Multi-Factor Authentication is being introduced that provides additional protection.

Regular security tests are carried out by CHECK/CREST third-party specialists. Multi-tiered network access and protection layers are provided in each data centre. Industry-standard hardware has been hardened and configured using specific rules and multiple DMZ legs are in used to provide separate zones. ACLs and bandwidth management systems protect from potential DDOS attacks.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Each buyer will be allocated their own address range within the SaaS network so that source IP NATing can be used. Additional NATs may be required. IPSec VPNs are configured only to receive data from your range.

The Zellis endpoint will instigate a tunnel at Phase 1 if the correct public IP, agreed encryption method and Pre-Shared Key are used. The phase 2 traffic would need to be set the same and for the source and destination to address to match.

Each buyer has dedicated resources:

•Rule-set on firewalls
•Oracle databases;
•ResourceLink application;
•Secured storage using AES256 encryption
•SFTP Accounts

Availability and resilience

Availability and resilience
Guaranteed availability The system is generally available 24 x 7 except where planned maintenance is scheduled outside of the Core Service Availability Period (CSAP). Zellis SLA for availability is 99.5% during the CSAP hours which are 0800-1800 for English working days.
Current availability statistics on a rolling 12-month period are 99.8% availability during CSAP hours.
Approach to resilience Zellis utilises industry-leading equipment with no single points of failure, i.e. dual PSU's, dual backplane, automatic remapping of faulty CPU or memory, dual virtualised I/O, RAID configured SANs etc., virtual server migration (IBM LPAR's), dual communications equipment configured in 'hot standby' mode, dual diverse communications lines, dual power feeds from different utility companies, and N+1 air conditioning. All SaaS equipment is protected against power outages by UPS’s capable of supporting the full load (including air conditioning). UPS’s are backed up by diesel generators which typically hold at least 3 days’ worth of fuel; fail-over to generators is tested regularly.
Outage reporting Outages are alerted to Zellis operatives via our system monitoring tools.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Access by privileged Zellis users of the SaaS environment are controlled via a Bastion Host infrastructure. This includes Terminal Services, file and proxy servers as well as two factor authentication using RSA keys. Within the SaaS environment, elevated privileges are assigned to individual user accounts by using the “sudo” command. This works by allowing the user to run as a separate account with heightened privileges. This allows the logging of activities will be against the individual's unique account and so all activities can still be associated to an individual.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 29/05/2003
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Certification

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Zellis has Cyber Essential Certification
Information security policies and processes Zellis have a raft of policies, standards and procedures that support our overarching Information Security Policy. These vary from Acceptable Use Policies e.g. for Internet Usage, email usage, Virus Protection, to Physical Security etc. Our approach to managing Information Security and its implementation includes, but is not limited to, control objectives, controls, policies, standards and procedures. These are reviewed independently at planned intervals, both internally and externally by suitably qualified personnel and organisations.

We are in the process of re-establishing our credentials including certification to ISO 27001:2013 building on the existing Information Security Management System (ISMS). The first stage of this certification process has been completed successfully and, working closely with British Standards Institute (BSI) we are moving towards completion of stage 2 which includes a program of audits at our UK locations.

Be assured that as we go through this process, there will be no impact to your business. We are currently compliant to ISO certification and will continue to use the same stringent processes and procedures to comply with the principles of ISO27001.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Zellis has adopted the Change Management (Service Transition) process from the ITIL V3 framework. Zellis has a change management process that covers all changes to equipment and software used in the delivery of services. Changes are logged through Zellis service management suite and go through a full review and approval process.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Zellis' Vulnerability Management Standard establishes the minimum requirements to be deployed for a sound vulnerability discovery and management system. Standards for Patch Management define a common framework in applying patches on production systems. It aims to reduce risks resulting from exploitation of technical vulnerabilities in an effective, systematic, and repeatable way. The SaaS infrastructure is subject to monthly vulnerability assessments by an independent third-party consultancy who are CREST members.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach For the underlying infrastructure, Zellis has implemented a SIEM to centrally store, manage and protect logs. Other proactive monitoring is carried out by New Relic, BMC Patrol and an assortment of other tools.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Zellis has a SIEM that centralises logs and monitors for security events. We also have a monitoring system that triggers alerts internally to Zellis teams. In the event of a security breach, we create a security incident and process this following our procedures. Our security controls ensure that security events and weaknesses communicated, and corrective actions are taken in accordance with standards/procedures. Security breaches involving buyers will be notified to the Zellis Account Manager who will then inform the buyer. All data security breaches will be reported to the Zellis Security Manager who will investigate and take appropriate actions.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.59 per person per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A free of charge trial environment is provided to the user for an agreed period of time for the assessment of the service suitability. This is provided as an on request service only.
Link to free trial Upon request.

Service documents

Return to top ↑