Provision of HR & Payroll software on a UK based SaaS platform. Functionality includes comprehensive and flexible HR features, rich Payroll including all UK and ROI legislative requirements with facilities for multi-post employees, back-pay calculation etc. and a highly functional and intuitive self-service portal for both employees and line managers.
- Integrated modular platform offering single source of truth
- Fully responsive design empowering, anytime, anywhere, any device access
- Comprehensive Real-Time Dashboards and analytics tailored to your needs
- Powerful workflow engine to drive improved business processes
- Configurable, scalable, agile solution underpinning ever changing business needs
- 40 years Public Sector payroll knowledge and legislative compliance
- Ability to outsource HR & Payroll capability
- SaaS delivery from secure, resilient UK based Data Centres
- Significant R&D investment driven by customer experience and market trends
- Comprehensive, accurate, real-time information, enabling evidence-based decisions
- Enhanced employee engagement, driving productivity, retention and cost reduction
- Easy, intuitive, faster and more agile decision making
- Underpinning continual business process improvement and cost reduction
- Your investment is protected long term
- De-risk your decision, and your organisation
- We understand your public-sector payroll needs and complexities
- Focus on core competencies and strategy whilst reducing cost
- Low risk, secure and continually compliant data location
- Highly engaged collaborative customer base benefiting directly from targeted investment
£0.59 per person per month
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Zellis UK Limited
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Tickets can be raised on-line via the Zellis Extranet 24/7 however incidents for support will only be responded to during standard working hours.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||Web Chat (Live Chat) is available Monday to Friday 9:00 to 17:00 (UK time) excluding bank and public holidays in England for advice and guidance.|
|Web chat accessibility testing||None|
|Onsite support||Yes, at extra cost|
For the Zellis SaaS solution, systems are generally available for on-line use 24 hours per day, 7 days per week, excluding certain times during which housekeeping and other operational activities take place, e.g. upgrades to the hosting infrastructure, database export routines etc.
Zellis will commit up to 99.5% availability within the Core Service Availability hours, which are 08:00 to 18:00 Monday to Friday except UK Bank and Public Holidays and any downtime for application upgrades.
Support is provided against a set of Service Level Targets and underpinned by our Support Service Guide.
Priority 1: Critical: Guideline Response Time – 1 hour: Guideline Resolution Time – 4 hours
Priority 2: Urgent: Guideline Response Time – 1 day: Guideline Resolution Time – 5 days
Priority 3: Important: Guideline Response Time – 1 day: Guideline Resolution Time – 20 days
Priority 4: Non-urgent: Guideline Response Time – 1 day: Guideline Resolution Time – not before next major release.
We provide one level of support included within the annual maintenance fee.
Support is provided by a bank of skilled support consultants with a variety of skills to meet the diversity of support calls.
|Support available to third parties||Yes|
Onboarding and offboarding
Zellis’ Standard Implementation Methodology is known as PIM (Process Implementation Method). PIM has been developed to standardise how Zellis implement products and services, drawing upon many years of experience and best practice. The Zellis project method is based on key principles from PMBOK project methodologies.
PIM is split into 5 stages; Prepare, Elaborate, Build, Deploy and Operate.
As well as the project being broken down into the five stages, it is also split into three main knowledge areas; Project Delivery System (PDS), Process Configuration (PC) and Operations Readiness (OR). An overview of each is as follows:
● Project Delivery System
Drives the implementation through the PIM phases using quality tollgates as entry points
● Process Configuration
Configures the HR and/or Payroll solutions to client specifics
● Operations Readiness
Prepares the resources of customer and Zellis to deliver the required function/service
|End-of-contract data extraction||Upon contract termination, data will be returned to the customer in a contractually agreed format.|
|End-of-contract process||A mutually agreed exit plan is put in place, ensuring continued Account Management, Support and Maintenance for the client until contract expiration. The customer data shall then be returned in whole, or destroyed in line with GDPR requirements.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
There are two user interfaces:
1) For managers and employees, we provide an intuituve fully responsive interface for self service users across any device.
2) For core HR & Payroll administrators, we provide a comprehensive interface designed for full screen browser access.
Both are browser based, requiring no desktop application.
|What users can and can't do using the API||
A publicly accessible, openly documented API is available. The ResourceLink API is a SOAP and WSDL based API (being transposed to REST) that exposes both inbound and outbound notification services between ResourceLink and third-party applications to aid customers in the realisation of their SOA strategy. This is offered as an optional part of ResourceLink.
The ResourceLink API allows online systems to receive changes to employee, post, post holding, vacancy and application data on a configurable near real time basis, typically every five minutes. Likewise, the API exposes web services that allows other systems to query ResourceLink based post-to-post security and update basic employee details that may be maintained or entered via another system.
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
Users can customise ResourceLink the following ways;
1) Reporting Dashboards
4) Field Names
6) Workflows & Alerts
7) Security Profiles
This is not an exhaustive list and will be determined by the modules utilised by the user.
Additionally, we also provide User Defined Fields and Screens.
Two types of user defined screen are available:
● Simple Screens – this type of user defined screen allows basic data entry by the operator. The systems administrator can define the number of fields on the screen, the order of the fields on the screen, mandatory fields and validation.
● Key Dependent Screens – This type of user defined screen has the added capability of holding current and previous lines of information, thus allowing for the retention of historical amendments.
Both the user defined and standard screens can be included in workflow tasks in whatever sequence best suits your workflow processes. User defined fields and screens, with their attaching characteristics, are maintained through upgrades and releases.
|Independence of resources||Peak demands are smoothed using dynamic resource re-allocation and load balancing capabilities within the infrastructure. Each virtual server has a variable allocation of CPU which may be flexed dynamically. This means that if a virtual server is quiet, it can donate resources to others that require it, and then return them. Resilient Content Switches are also used to load balance Reverse Proxy servers that directs to the delivery tier to provide the application. Zellis ensures that the baseline specifications for each virtual server reflect actual usage, and that Storage Pools have reserves based on real usage statistics.|
|Service usage metrics||Yes|
|Metrics types||New Relic allows monitoring of application performance (response times, throughput, network times, etc.); it also monitors the status of the different technical components of the application (application servers, databases) and the resources used (memory, CPU, etc.). Results can be shared with customers at the regular Service Review meetings. It is hoped that in future we will be able to provide customers with relevant APDEX scores via the New Relic tool. APDEX is essentially a response time satisfaction scoring system, on a sliding scale from 1 to 0. During our trials, we have observed a typical score of 0.98.|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can export data through standard export routines, such as costing extract, along with being able to export any item of data, including user defined fields, via the reporting tool.|
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||
In addition to using TLS/SSL encryption for browser traffic, NGA encapsulates data for core users within IPSec compliant VPN tunnels dedicated to each buyer providing double encryption. These are also used as a “utilities” pipe carrying additional traffic. Multi-Factor Authentication is being introduced that provides additional protection.
Regular security tests are carried out by CHECK/CREST third-party specialists. Multi-tiered network access and protection layers are provided in each data centre. Industry-standard hardware has been hardened and configured using specific rules and multiple DMZ legs are in used to provide separate zones. ACLs and bandwidth management systems protect from potential DDOS attacks.
|Data protection within supplier network||
|Other protection within supplier network||
Each buyer will be allocated their own address range within the SaaS network so that source IP NATing can be used. Additional NATs may be required. IPSec VPNs are configured only to receive data from your range.
The Zellis endpoint will instigate a tunnel at Phase 1 if the correct public IP, agreed encryption method and Pre-Shared Key are used. The phase 2 traffic would need to be set the same and for the source and destination to address to match.
Each buyer has dedicated resources:
•Rule-set on firewalls
•Secured storage using AES256 encryption
Availability and resilience
The system is generally available 24 x 7 except where planned maintenance is scheduled outside of the Core Service Availability Period (CSAP). Zellis SLA for availability is 99.5% during the CSAP hours which are 0800-1800 for English working days.
Current availability statistics on a rolling 12-month period are 99.8% availability during CSAP hours.
|Approach to resilience||Zellis utilises industry-leading equipment with no single points of failure, i.e. dual PSU's, dual backplane, automatic remapping of faulty CPU or memory, dual virtualised I/O, RAID configured SANs etc., virtual server migration (IBM LPAR's), dual communications equipment configured in 'hot standby' mode, dual diverse communications lines, dual power feeds from different utility companies, and N+1 air conditioning. All SaaS equipment is protected against power outages by UPS’s capable of supporting the full load (including air conditioning). UPS’s are backed up by diesel generators which typically hold at least 3 days’ worth of fuel; fail-over to generators is tested regularly.|
|Outage reporting||Outages are alerted to Zellis operatives via our system monitoring tools.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Access by privileged Zellis users of the SaaS environment are controlled via a Bastion Host infrastructure. This includes Terminal Services, file and proxy servers as well as two factor authentication using RSA keys. Within the SaaS environment, elevated privileges are assigned to individual user accounts by using the “sudo” command. This works by allowing the user to run as a separate account with heightened privileges. This allows the logging of activities will be against the individual's unique account and so all activities can still be associated to an individual.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||29/05/2003|
|What the ISO/IEC 27001 doesn’t cover||N/A|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Certification|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Zellis has Cyber Essential Certification|
|Information security policies and processes||
Zellis have a raft of policies, standards and procedures that support our overarching Information Security Policy. These vary from Acceptable Use Policies e.g. for Internet Usage, email usage, Virus Protection, to Physical Security etc. Our approach to managing Information Security and its implementation includes, but is not limited to, control objectives, controls, policies, standards and procedures. These are reviewed independently at planned intervals, both internally and externally by suitably qualified personnel and organisations.
We are in the process of re-establishing our credentials including certification to ISO 27001:2013 building on the existing Information Security Management System (ISMS). The first stage of this certification process has been completed successfully and, working closely with British Standards Institute (BSI) we are moving towards completion of stage 2 which includes a program of audits at our UK locations.
Be assured that as we go through this process, there will be no impact to your business. We are currently compliant to ISO certification and will continue to use the same stringent processes and procedures to comply with the principles of ISO27001.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Zellis has adopted the Change Management (Service Transition) process from the ITIL V3 framework. Zellis has a change management process that covers all changes to equipment and software used in the delivery of services. Changes are logged through Zellis service management suite and go through a full review and approval process.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Zellis' Vulnerability Management Standard establishes the minimum requirements to be deployed for a sound vulnerability discovery and management system. Standards for Patch Management define a common framework in applying patches on production systems. It aims to reduce risks resulting from exploitation of technical vulnerabilities in an effective, systematic, and repeatable way. The SaaS infrastructure is subject to monthly vulnerability assessments by an independent third-party consultancy who are CREST members.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||For the underlying infrastructure, Zellis has implemented a SIEM to centrally store, manage and protect logs. Other proactive monitoring is carried out by New Relic, BMC Patrol and an assortment of other tools.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Zellis has a SIEM that centralises logs and monitors for security events. We also have a monitoring system that triggers alerts internally to Zellis teams. In the event of a security breach, we create a security incident and process this following our procedures. Our security controls ensure that security events and weaknesses communicated, and corrective actions are taken in accordance with standards/procedures. Security breaches involving buyers will be notified to the Zellis Account Manager who will then inform the buyer. All data security breaches will be reported to the Zellis Security Manager who will investigate and take appropriate actions.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.59 per person per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||A free of charge trial environment is provided to the user for an agreed period of time for the assessment of the service suitability. This is provided as an on request service only.|
|Link to free trial||Upon request.|