For effective management of internal and external customer accounts. Improves productivity by creating transparent workflow and automating admin tasks. Clear approval processes, instant performance reporting against budget and KPIs. Used by public sector account managers to secure efficiencies and savings while delivering a high-quality service, focused on strategic priorities.
- e-Catalogue, client portal: simple, secure access for colleagues and external
- Planning and scheduling: project management, work allocation and resource management
- Collaboration: simple shared workflow for team, internal services, external suppliers
- Track expenditure and income (forecast and actual) against budget
- Quality assurance: Documentation, approvals, audit trail, management reporting
- Contact relationship management: colleagues, authorisers, clients, suppliers
- Resource management, task allocation, time management
- Estimating and purchasing: instant competitive quotes, mini-tenders, budgeting, client estimate
- Real-time management reporting, bench-marking and performance monitoring
- Integration, interface with finance systems as required
- Save time with effective planning, workflow, administration and transactional processes
- Increase productivity, supported self-service options, efficient planning and time management
- Avoid duplication of effort, share assets, collaborate, comply with GDPR
- Track use of service and monitor performance against KPIs
- Make cashable cost savings with highly competitive automated supplier estimating
- Focus on priorities: Automate low-value reactive and administrative work
- Generate income and increase operating margins on your services
- Panacea Software users report 53% increase in productivity
- Improve reputation and service delivery with intuitive and efficient workflow
- Support remote working with 24 hour access for all users
£7101 per licence per year
Panacea Applications Limited
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||There are no constraints. The buyer needs no specific hardware configuration required, no software installation. Panacea Software is available online using any browser. Essential maintenance work and software up-grades are performed outside office hours .|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within 5- working hours. Our support desk is manned during office hours by competent staff providing Users with technical support and advice on the use of Panacea Software by email or telephone, in clear written or spoken English. Response time may be slower during weekends.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||We use Tidio Chat to manage web chat with our users. Tidio does not use WCAG 2 guidelines, as they are not a governmental body. However, they confirm that they always act in accordance with the relevant UK and EU legislation and comply with policies. They may be adding accessibility standards in the future.|
|Web chat accessibility testing||Web chat has been tested during implementation, and is regularly tested on an ongoing basis.|
|Onsite support||Onsite support|
Support is provided to all Users:
a. Panacea will provide support online documentation and videos to all Users via the support icon displayed on every screen of the Web Application.
b. Panacea’s support desk will be manned by competent staff providing Users with technical support and advice on the use of Panacea Software by email or telephone, in clear written or spoken English.
c. Onsite training and support can be provided by agreement if required
d. Named technical account managers are nominated to each subscriber and are available by email, telephone and onsite by arrangement as required.
"The support from the Panacea team itself is invaluable - there are very few suppliers who provide this level of support so efficiently and consistently." Anushka Desai, Buckinghamshire County Council
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||We work closely with the Subscriber to set up and configure the software as required to ensure the software can be implemented with minimum effort creating a simple, intuitive workflow for all users. We provide on-site training as standard when the software is launched, and provide online training to all users as required. Implementation for public sector subscribers takes 4-8 weeks and we offer support to all parties to ensure this process is efficient and effective and achieves the desired outcomes. "Working with the skilled and professional team at Panacea has been a great experience. With their support the system was implemented smoothly and we were quickly up and running" Karen Johnston, Bolton Council.|
|End-of-contract data extraction||Upon the termination of the contract, we allow the Customer access to the Panacea Software for a period of 10 Business Days for the sole purpose of the retrieval of Customer Data.|
On termination of the contract, Panacea allows the Customer access to the Panacea Software for a period of 10 Business Days for the sole purpose of the retrieval of Customer Data and the following apply:
(b) all licences and rights granted to the Customer immediately cease;
(c) the Customer ceases all activities (apart from data retrieval) authorised by the agreement;
(d) each party shall return and make no further use of any software, equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
(d) Panacea will destroy or otherwise dispose of any of the Customer Data in its possession, subject to the 10 business days allowed for data retrieval.
(e) The Customer shall pay all reasonable expenses incurred by Panacea in returning or disposing of Customer Data; and the Customer shall immediately pay to Panacea any sums due to Panacea under the contract; and
(e) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Collapsible menu responsive to lower resolution screen size, for user-friendly view on smaller screen.|
|Accessibility standards||None or don’t know|
|Description of accessibility||Text throughout is readable by a screen reader, all non-text content include tool-tips for this purpose. We use Google’s reCAPTCHA with audio option. Text versions are provided for any video-only content. Pages have titles, breadcrumbs, etc. Information, structure, relationships, and UI elements name, role & value available in text, Error validation text and readable by screen-reader. Instructions and content relies only on text, (not icons, colours or shapes). Text contrast ratio at least 4.5:1, everything is resizable and accessible using a keyboard, no keyboard trap. No Flash, no auto-updates, no flashing or moving content, no audio-only content, no time limits.|
Interface testing with:
- Wave web accessibility evaluation tool
- Dragon from Nuance
|What users can and can't do using the API||
Subscribers can use our API to enable simple, secure set-up for internal users from their own intranet. The API includes two interfaces:
1) Test User Exists - a user clicks on a link in the Subscriber's intranet, which sends a request to this API to check if the user already has an account on the Panacea Software system
- If the user has an account they are redirected to login to Panacea Software
- If the user does not have an account, the Create New User API is triggered.
2) Create New User - the Subscriber's intranet application retrieves the user's details from their directory service and sends these details to this API.
- If the user account is created successfully the client is directed to the login URL for Panacea Software and receives an email to generate a password
- If there is a problem, the account will not be created and the user is referred to an appropriate support contact.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Buyers can customise each module of Panacea Software they purchase, as appropriate for example:
- Branding of software: Colours and logo as standard, bespoke landing page option if required
- Client interface and e-catalogue: forms, options, automated quotes, available items, products and services with preset calculators for instant quotes, preferred suppliers for each service if required
- Templates: Schedules, forms, calculators, branded artwork, branded e-mails
- Code format rules: Budget codes, GL Codes, Cost Centre codes, etc.
- Data for import to finance system(s): Batch files formatted for import (manual or automated) for charging, invoice generation, supplier invoice payment, budget management
- Tender documents: Standard Questionnaire, PQQ, Supplier Questionnaires - question content, structure, formats, types, rules, scoring, pass/fail, etc. and tender stages, timing and workflow, supplier qualification
- Tags, categories and search criteria for digital assets
|Independence of resources||Panacea Software is hosted within a hybrid-cloud comprising Virtual Private Servers and Dedicated servers. Each Subscriber’s service runs under its own instance on IS with their own database and data folder. Future versions of the software may employ secure multi-tenancy architecture. Every element of our network is monitored and logged 24x7, (Cisco, Juniper). Performance issues requiring investigation are escalated to on call engineers who quickly take the necessary steps to minimise any impact on users. Servers are patched weekly. All attempts to access the software are logged. Malicious characters and repeated attempts to login with incorrect passwords are blocked.|
|Service usage metrics||Yes|
Subscribers can monitor service usage, view login records and user activity metrics including event logs, audit trails, history notes and real-time management information available at the click of a button, including:
• Usage of service
• Analysis of activity, expenditure and income by organisation, department, section, individual, etc.
• Performance reporting on KPIs, supplier selection, feedback, etc.
• Contract management of suppliers, clients, account etc.
• Extensive expenditure and income reporting
• Resource management including time-sheet reporting
• Data export files for interface with other systems
• Customised reports available subject to agreement.
Our service uses TLS Version : v1.2
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Other data at rest protection approach||
- We comply with the provisions of the Data Protection Act 1998. -
- Access to Panacea Software is restricted via a secure login process for authorised users, with password encryption
- The physical servers are located at Data Centres in the UK with security infrastructure and procedures which are fully compliant with ISO 27001, ISO 22301 and PCI-DSS v3 .
Our servers are held in locked racks which can oly be opened by individuals
- Firewall : The network is protected by two Fortigate IPS (Intrusion Protection Systems) units providing maximum reliability while filtering any malicious traffic
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Users can generate, download and export their data in a variety of file formats including html, pdf, csv or xls.
Data can be exported in the format required for import into user's finance systems for supplier payment, client invoicing, internal charging, budget management, etc. Subscribers can opt for specified users to have access to generate and download or export this data, or to automatically generate and export this data by automated file transfer (e.g. daily FTP) to a specified destination.
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||Xls|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
Panacea Software is hosted on dedicated managed servers with 99.9% network uptime SLA.
Our servers are powered by 6 independent 11kv three phase electrical supplies from 3 separate national grid substations. Standby Generation is provided at N+1 redundancy via diesel engine driven generators. On-site fuel is stored to maintain full load operation for all generator sets for continuous running of 24 hours.
Every element of our network is monitored, supported (by Cisco, Juniper and Fortinet) and logged 24x7, should an event occur which requires further investigation an on call engineer is paged and working on the issue within minutes, before any small problem impacts our service.
Our online support is available 24/7 with telephone and email support available from our help desk during working hours, manned by competent staff providing Users with technical support and advice by email or telephone, in clear written or spoken English.
Defect resolution SLA of 5 working hours for a Severity Class 1 issue, 10 working hours for Severity Class 2 and 2 business days for Severity Class 3 issue, as detailed in our Software Maintenance Policy (available online, as well as via a link on the home page of Panacea Software)
|Approach to resilience||
Panacea Software is hosted in the UK on dedicated managed servers in secure purpose-built hosting facility (details available on request), backed-up to a linked location and a data centre in the UK, to allow data to be restored in the event of catastrophic disaster at the primary site.
Servers are housed in locked racks in centres with accredited security infastructure, including:
- Independent client card identification access system
- Single-person point of entry, guarded 24/7 and monitored by integrated digital video camera surveillance
- Proximity card access control system
- Protected perimeter fence, fitted with intruder sensing
- 24/7 CCTV coverage of perimeter, common areas, facilities management suites.
Planned maintenance is performed outside business hours, maintenance procedures minimise disruption from unscheduled issues. Business continuity and disaster recovery procedures in place in the event of a catastrophic situation.
Logs and certificates are retained pertaining to the secure disposal of equipment: Hard drives are securely shredded into 15mm strips to prevent recovery of data.
Backed-up data stored in proprietary format is automatically deleted and over-written after seven days.
Subscribers retain access to retrieve their data for 10 working days after termination of contract; thereafter their data is deleted and destroyed.
Subscribers are informed of any planned server outage (e.g., due to a scheduled upgrade), by email alerts (using an approved CRM software)
Every element of the network is monitored and supported (by Cisco, Juniper and Fortinet) and logged 24x7, should an event occur which requires further investigation an on call engineer is paged and is working on the issue within minutes, preventing or minimising any impact on our subscribers.
We use Uptime Robot to monitor the performance of our service and receive outage information via automated email alerts.
We monitor service performance (including outages) and provide performance reports to subscribers if required.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||Users are granted access to only relevant and authorised sections of the software. This is strictly monitored and reviewed. Additionally, passwords are fully encrypted.|
|Access restrictions in management interfaces and support channels||
Only authorised individuals can authenticate to and access management interfaces for Panacea Software or perform actions affecting our service through support channels.
Access to Panacea Software, management interfaces and support channels is strictly restricted to authorised individuals according to clearly defined user roles following secure login process using encrypted passwords.
Every attempt to access the software is logged, repeated attempts with incorrect password are blocked, and users are alerted to any concurrent use of their credentials.
Our operational folders are stored on secure external servers, which can only be accessed via SSL VPN and password, to ensure secure service administration.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||UKAS (IMS International)|
|ISO/IEC 27001 accreditation date||29/11/2017|
|What the ISO/IEC 27001 doesn’t cover||All aspects of our service are covered by ISO 27001 accreditation.The software, management, and service provision is covered by the certificate noted above, and our hosting subcontractor also holds ISO 27001 accreditation covering the hosting and back-up of our software and data. Certificates are available upon request.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||NCC Group|
|PCI DSS accreditation date||17/05/2016|
|What the PCI DSS doesn’t cover||This certification is held by our hosting sub-contractor and covers the hosting of our servers. It does not cover our software. We do not currently plan to obtain this certification for our software itself, since the software does not currently accept, process, store or transmit credit card information.|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our integrated management system incorporates clear processes to support our company objectives and ensure compliance with our security policies, including:
• Privacy and security of customer data
• Physical security and asset management
• Server security
• Security screening of personnel
• Security incident management
• Software maintenance
• Password security and user access restrictions
• Development and configuration management
• Quality assurance and software testing
• Disaster recovery
• Business continuity
To ensure our policies are followed:
We train all our personnel fully on our information security policies, processes, roles and responsibilities, as follows:
- Security induction training (in-house)
- Security training up-dates and team training (in-house)
- Security training and cyber-security up-dates (external accredited provider)
Our processes, including risk assessment, operational planning and all security controls are subject to regular and robust review:
a) Fortnightly testing including functionality, regression and security tests
b) Business continuity exercise scenarios
c) Penetration testing
d) Disaster recovery testing
e) Management reporting and review.
Our security policies and standards which affect our subscribers and their data are included in user training and support materials, and are available to all users on our website.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
We follow standard development guidelines our management system includes GitHub for source control and Jira for issue tracking to monitor each requirement from specification, development and testing to release.
Specifications for development and configuration are reviewed against feedback, security guidance and business requirements. Organisational and technical interfaces are defined and tracked. Configuration and change requirements are are assessed in terms of scope, adequacy, impact on functionality, scalability, ease of use and potential security.
Our fortnightly release process supports stringent testing protocols. Validation process tests each component is fit for purpose and regression testing ensures security and integrity of existing functionality.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Automated error messages alert us to any attempts to inject malicious code and the software blocks repeated attempts to login with incorrect passwords. Vulnerabilities identified are recorded on our tracking system and resolved and deployed as a matter of priority. As standard upgrades deployed fortnightly. All attempts to access the software are automatically logged including failed logins. Penetration test results confirm our defence against malicious threats including SQL and JS injection attack. Passwords and other sensitive data is encrypted. Windows Servers are patched on a weekly basis and AntiVirus software is automatically updated to identify and deal with any vulnerabilities.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Potential compromises are monitored through:
• Fortigate IPS (Intrusion Protection Systems)
• Every element of network monitored and logged 24/7 (Cisco, Juniper, Fortinet)
• Automated emails alert us to any suspected malicious activity
• Penetration testing by third party accredited provider
• Full-time in-house testing team following strict protocols
Response to potential compromise
- On-call engineer (24/7) resolves any potential compromise to network
- Potential vulnerabilities immediately logged and resolved according to severity, in line with our maintenance policy SLA:
Severity class 1: 5 working hours
Severity class 2: 10 working hours
Severity class 3: 2 business days.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Our Incident Management policy is on our website and is covered in our staff and user training and operational manuals:
- Users notify Panacea Support as soon as an incident is suspected or identified, via Phone, Email or WebChat, providing all possible information on details, impact, steps taken
- Our staff and contractors log any incidents, notify Management immediately and thoroughly investigate cause(s), impact on the software and data, immediate action, future mitigation measures and may need to invoke the Continuity of Business plan if required
Incident reports are provided to our subscribers by email and in service review meetings.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£7101 per licence per year|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|