Curtis Fitch

Curtis Fitch eSourcing

The Curtis Fitch e sourcing software is used for supplier on boarding, online e procurement, contract management and data analytics.

The Curtis Fitch esourcing platform allows e-procurement, online tendering an e-auctions, due diligence and compliance.


  • Central repository of contract, supplier and project data
  • Authorisation and controls for contracts and projects
  • e Sourcing, esourcing, e-procurement
  • Standardisation of processes built out as templates for users
  • E Procurement
  • Automated notifications and alerts for expiring contracts and certificates
  • Build your own reports and dashboards
  • Supplier Performance management
  • Supplier and Service Risk management
  • e Sourcing Project Management


  • Comprehensive data dashboards enabling a deep dive into detail
  • Template your processes to quickly create content
  • View and manage content from multiple devices
  • View and manage risks easily within your supply chain
  • Logon remotely via a secure logon
  • Easily trace site activity via an extensive audit trail
  • Configure and customise your site to reflect your company brand
  • Keep on top of your to do list via notifications
  • Collaborate with team members and stakeholders
  • Invite multiple suppliers to bid in five easy steps


£2000 per licence per year

  • Free trial available

Service documents

G-Cloud 9


Curtis Fitch

Kelly Rogers

01242 530900

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements Buyers will need a specific software licence

User support

User support
Email or online ticketing support Email or online ticketing
Support response times All critical issues, for example, software is unavailable to any number of users must be reported by telephone. In the example situation we provide immediate response and a 2 hour target resolution time. All emails are subject to a 2 hour response target.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Curtis Fitch will maintain a Software uptime at 99.5%, measured over a 3 month period. The company provides a help desk for any customer to log issues relating to the use and functionality of the software and issues with the software, such as not being able to log onto the system. This service is available from 08:00 to 18:00 Monday to Friday at no extra cost to the customer. By prior arrangement the Curtis Fitch Help Desk will support outside these support times. This will be at an additional agreed cost to be agreed between the parties at the time.

Each client is allocated a dedicated Account Manager (FOC) who will provide monthly reviews of service provision and any issues raised. They will also conduct on site quarterly review meetings.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started To help users start using the Curtis Fitch platform the company provides onsite training, online training refresher sessions following on site training. We also provide user documentation that is regularly updated to include new features.

We make use of three different 'types' of training. The super user approach is where the client has identified key individuals to support the deployment across the organisation. The super user is trained to dissimilate the software through the business and act as a the point of contact for internal users. The second type of training is, eSourcing team training. This is where eSourcing is developed as a centralised function and a ‘centre of excellence. The third type is called Full Deployment Training. This is a mass training approach where the software is taught to a large group of end users.

The type of training depends upon customer requirements.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Word
  • Excel
  • CSV
End-of-contract data extraction At no cost to the client Curtis Fitch transfers all data relating to the client either to the client or a new service provider nominated by the customer. Curtis Fitch ensures the transfer of data via secure File Transfer Process (FTP) with no posting of documents and result in no data loss, corruption or impairment.
End-of-contract process All data is provided to the customer at no extra cost upon termination or expiry of the agreement. There are no additional costs to the customer upon ending the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards None or don’t know
Description of accessibility The Curtis Fitch software is mobile optimised and can therefore be scaled in size to support those with sight impairment.
Accessibility testing None
Customisation available Yes
Description of customisation The software landing page can be customised to represent the customer's own branding and imagery. Once logged into the application, customers can insert their company logo. All workflow within the software can be built to replicate existing company process or workflow. All sourcing templates can be customised to replicate the customer's own processes. All contract templates can be customised to capture the customer's own contract fields.

Users customise by creating fields and linking where appropriate with workflow. Users can create a number of different field types and can create dependencies from these fields.
Any admin user can customise the software.


Independence of resources Curtis Fitch operates a High Availability infrastructure across a private network. The platform is load balanced to ensure customers are not affected by the usage of another customer. For example, if one customer is running a particularly large report or auction via the software the hosting platform will automatically fail over to ensure performance of other customer sites are not affected.


Service usage metrics Yes
Metrics types Service uptime and helpdesk metrics will be presented by your account manager at quarterly account reviews. Any feedback submitted from users via the 'Feedback' button will also be reviewed.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can run system reports and export their data to excel. All system data is available in this way. In addition all users also have access to our Business Intelligence tool, CF Analytics. CF Analytics has a number of pre built dashboards available and a 'build you own' capability for users to define how their specific dashboards appear.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats Excel
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Curtis Fitch endeavours to maintain the software uptime at 99.5%
measured over a 3 month period.
Approach to resilience Our hosting infrastructure is design within a private cloud using a web application firewall to protect data with the network segment. Hypervisors manage the servers and the infrastructure is high availability and load balanced. This design has been created in partnership with Rackspace UK who we work under and intensive support plan.
Outage reporting This would be reported directly to the customer. We would firstly report via telephone and follow up by email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Every user is given an access level upon creation. This restricts the access rights of the user. Additionally, there are also privacy restrictions that can be applied to certain parts of the site to stop any unauthorised access.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 10/12/2015
What the ISO/IEC 27001 doesn’t cover The Information Security Management System (ISMS) applies to the provision of software as a service and its supported activities to internal and external customers of Curtis Fitch in accordance with the ISMS Statement of Applicability dated 03-08-2015.
The scope detail extends to:
Curtis Fitch Employees & Assigned Assets. Curtis Fitch Office Premises & their contents. Product application source code. Software development lifecycle. Internal IT systems (email & network). Network access controls around client data. Applicable legal, contractual and regulatory requirements. Interested Parties.
Scope boundary:
Third party suppliers who provide key services to Curtis Fitch reside in the boundary of the scope are subject to third party supplier assessments. Supplier risk ratings are stored in the Curtis Fitch Third Party Supplier Assessment Tool. These third parties can provide software, hardware of physical controls to protect information used by Curtis Fitch and its customers.

One control of ISO 27001:2013 has been omitted which is 'Outsourced Development'.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Curtis Fitch are ISO 27001 certified and adhere to our policies and procedure created within this ISMS. We are audited externally every year by the BSI.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach At Curtis Fitch all new software development is subject to a QA and testing process. This is then penetration tested before it is rolled out to a new software version to ensure the changes are assessed for potential security impact.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Curtis Fitch woks with Veracode to provide SaST and DaST coverage of the CFSuite product. They also provide best practice advice and industry knowledge and awareness on security vulnerabilities.
Protective monitoring type Supplier-defined controls
Protective monitoring approach For threat detection and prevention, our intensive support level agreement with our Service Provider RackSpace UK, a team operates 24/7 tracking online threats that could have an impact on our service.

We have an IDS and IPS hardware service in place that our Service Provider also manages. Threats and access attempts are rated and we are advised if and when action is taken. Incidents are dealt with immediately by the Service Provider, at Curtis Fitch we only get involved if intervention is required. This typically happens as soon as it's logged.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach At Curtis Fitch we do follow a pre-defined process for incident management. Users will either call our support desk or their account manager to report an incident. Once recorded the incident is given a priority status of critical, high, medium or low. For any critical incidents, such as data loss, a developer will be allocated immediately to investigate the incident. Once fixed and tested the account manager will work with the customer to get the fix patched onto their site. An incident report will then be written and sent across to the customer.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Other


Price £2000 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Potential customers are given access to their own branded trial site. We will agree a time period for the potential customer to use this. They will have access to all of the features which would be available in a paid licence.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑