Matrix SCM


Matrix SCM provides a cloud-based software application which enables our customers to engage and manage contingent staff more effectively and efficiently. Our software also helps customers to reduce their future reliance on using contingent staff by helping them to develop permanent staffing capability. For more information visit


  • End-to-end recruitment system
  • Dynamic Purchasing System (DPS)
  • Real-time reporting and Management Information
  • Candidate order, review and selection
  • Temporary Agency Staffing
  • Permanent Recruitment
  • Electronic Timesheets
  • Supplier Management
  • Consolidated Invoicing
  • Pre-employment check process


  • DPS Compliant
  • Control and Visibility over agency spend
  • Faster and more efficient recruitment process
  • Increased Candidate Quality
  • Candidate Compliance
  • Mobile and Tablet Usability


£10000 to £150000 per instance per year

Service documents

G-Cloud 11


Matrix SCM

Chris Grimes


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements Access to the internet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 24 hours for Clients. Matrix are 24/7/365 with dedicated Account Management support.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible The web chat is embedded into our cloud application and accessed through the help tab. This is a typical chat feature. a recording of conversations are emailed to the matrix Operations manager.
Web chat accessibility testing Our web chat is provided by a third party. We have checked with them and they have confirmed that they have not completed any testing with assistive technology users.
Onsite support Yes, at extra cost
Support levels Service Desk, Email, Phone, Live-Chat.
Account Management Resource and Strategic Contract Management. Support available at additional cost. Technical Account Management related to system available at no cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Matrix SCM provide a comprehensive implementation process which includes full system training through a mix of on-site, online and video training material. This is carried out by a dedicated implementation team and training manager.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Users will need to contact Matrix SCM to have their data completely removed from the system. But users can also use the export functionality to extract the data themselves.
End-of-contract process The client has a grace period in order that any critical activities are completed and allow any outstanding payments to be made. No new activities can be completed during this time.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service CR.Net is Mobile and Tablet Friendly. Matrix now have a native app, that runs on both Android and Apple devices.
Accessibility standards None or don’t know
Description of accessibility The service is accessible through a web browser.
Accessibility testing None
What users can and can't do using the API This is not a public defined user API, but this supports the app to both get and make changes to the data.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Custom fields can be defined and optional approval processes. Look and feel of the system can also be customised. Bespoke integrations with third party software can be created. All internal policy is reflected on to the system.


Independence of resources We have a load balanced web farm that spreads load evenly and the solution is hosted in a virtual environment so new resources can be spun up very quickly. Active monitoring of every aspect of the solution allows us to monitor against CPU, disk space and database transaction times.


Service usage metrics Yes
Metrics types User access, browser types, device types, page history, server statistics (CPU, disk space) failed log-ons.
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Manually export by selecting the export button within the system or can sign up to schedule reports within the system.

Alternatively, administrators can run data extracts at given schedules.

Users can run reports in the system and then export them in excel or PDF formats.
Data export formats
  • CSV
  • Other
Other data export formats XML
Data import formats
  • CSV
  • Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Matrix-CR.Net delivers a service uptime of 99.8% to our customers.
Matrix has a comprehensive Disaster Recovery (DR) Plan to ensure that all departments are fully aware of what actions should take place if Matrix SCM have switch to a DR plan, these actions will ensure that there is minimal disruption to our clients.

Uptime will be measured on a quarterly basis, using the measurable hours in the quarter i.e. actual time available vs. total time within the quarter (inclusive of any scheduled downtime, including maintenance, upgrades, etc.) For the avoidance of doubt, his equates to 2,189 actual hours available / 2,200 possible available hours = 99.5 availability.
The system will be classed as “unavailable” in the event that there is a fault with the system that either a) prohibits users from being able to login or b) renders critical functionality to be non-operational (or otherwise classified as severity 1 within this SLA), as a result of a fault with the system itself, rather than due to the user’s own hardware or software issues.
Approach to resilience Tier 4 designed data centre with dual power generators, dual internet connection, dual network cards, dual servers, UPS's.
Outage reporting Operations Centre would manage all communications with users directly.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Users are given a pre-defined role which controls what they can access within the system.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 British Assessment Bureau
ISO/IEC 27001 accreditation date 05/04/2019
What the ISO/IEC 27001 doesn’t cover Nothing.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Matrix SCM is accredited for IS0 27001 which demonstrates that Matrix has a well-structured and embedded Information Security Management System. Account Managers report in to Business Management and Operations Director. Matrix SCM also hold the Cyber-Essentials certification

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All components of CR.Net are tracked through their lifetime via a risk register and issue log which is managed by our IT development team.
Any changes made to the system are put through rigorous user testing in a testing environment, which are signed off by the customer before being implemented on the the live production site.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Anti virus software on the services. Traffic is routed through firewalls. Patches are applied when released by Microsoft. Threats are alerted to us through Microsoft updates, anti-virus or continual monitoring software
Protective monitoring type Supplier-defined controls
Protective monitoring approach All servers are firewall protected and are running latest anti-virus software. We perform regular checks of the servers through use of monitoring software that send email alerts to key IT personnel.
If compromised, we would follow the industry standard guidelines to eradicate the risk .
All events within the system are audited and fully visible to the users. All page access is also monitored along with failed login attempts, with passwords being locked after 3 failed attempts. Users also have to change their passwords every 45 days
Incident management type Supplier-defined controls
Incident management approach All servers are fully monitored with numerous failover points to try and litigate incidents that would affect the running of the system. Matrix also operate a full DR process in case of system outages. This not only includes the system but the offices and telephones. Software related incidents are logged into the helpdesk system through their dedicated account manager. Incident reports are communicated back to the end-users either through phone, email or the system itself.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 to £150000 per instance per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑