The Curtis Fitch software is used for supplier on boarding, online sourcing, contract management and data analytics.
- Central repository of contract, supplier and project data
- Authorisation and controls for contracts and projects
- Site wide audit trail
- Standardisation of processes built out as templates for users
- Team resource planning
- Automated notifications and alerts for expiring contracts and certificates
- Build your own reports and dashboards
- Supplier Performance management
- Supplier and Service Risk management
- Sourcing Project Management
- Comprehensive data dashboards enabling a deep dive into detail
- Template your processes to quickly create content
- View and manage content from multiple devices
- View and manage risks easily within your supply chain
- Logon remotely via a secure logon
- Easily trace site activity via an extensive audit trail
- Configure and customise your site to reflect your company brand
- Keep on top of your to do list via notifications
- Collaborate with team members and stakeholders
- Invite multiple suppliers to bid in five easy steps
£2000 per licence per year
- Free trial available
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|System requirements||Buyers will need a specific software licence|
|Email or online ticketing support||Email or online ticketing|
|Support response times||All critical issues, for example, software is unavailable to any number of users must be reported by telephone. In the example situation we provide immediate response and a 2 hour target resolution time. All emails are subject to a 2 hour response target.|
|User can manage status and priority of support tickets||No|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Curtis Fitch will maintain a Software uptime at 99.5%, measured over a 3 month period. The company provides a help desk for any customer to log issues relating to the use and functionality of the software and issues with the software, such as not being able to log onto the system. This service is available from 08:00 to 18:00 Monday to Friday at no extra cost to the customer. By prior arrangement the Curtis Fitch Help Desk will support outside these support times. This will be at an additional agreed cost to be agreed between the parties at the time.
Each client is allocated a dedicated Account Manager (FOC) who will provide monthly reviews of service provision and any issues raised. They will also conduct on site quarterly review meetings.
|Support available to third parties||Yes|
Onboarding and offboarding
To help users start using the Curtis Fitch platform the company provides onsite training, online training refresher sessions following on site training. We also provide user documentation that is regularly updated to include new features.
We make use of three different 'types' of training. The super user approach is where the client has identified key individuals to support the deployment across the organisation. The super user is trained to dissimilate the software through the business and act as a the point of contact for internal users. The second type of training is, eSourcing team training. This is where eSourcing is developed as a centralised function and a ‘centre of excellence. The third type is called Full Deployment Training. This is a mass training approach where the software is taught to a large group of end users.
The type of training depends upon customer requirements.
|Other documentation formats||
|End-of-contract data extraction||At no cost to the client Curtis Fitch transfers all data relating to the client either to the client or a new service provider nominated by the customer. Curtis Fitch ensures the transfer of data via secure File Transfer Process (FTP) with no posting of documents and result in no data loss, corruption or impairment.|
|End-of-contract process||All data is provided to the customer at no extra cost upon termination or expiry of the agreement. There are no additional costs to the customer upon ending the contract.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None|
|Accessibility standards||None or don’t know|
|Description of accessibility||The Curtis Fitch software is mobile optimised and can therefore be scaled in size to support those with sight impairment.|
|Description of customisation||
The software landing page can be customised to represent the customer's own branding and imagery. Once logged into the application, customers can insert their company logo. All workflow within the software can be built to replicate existing company process or workflow. All sourcing templates can be customised to replicate the customer's own processes. All contract templates can be customised to capture the customer's own contract fields.
Users customise by creating fields and linking where appropriate with workflow. Users can create a number of different field types and can create dependencies from these fields.
Any admin user can customise the software.
|Independence of resources||Curtis Fitch operates a High Availability infrastructure across a private network. The platform is load balanced to ensure customers are not affected by the usage of another customer. For example, if one customer is running a particularly large report or auction via the software the hosting platform will automatically fail over to ensure performance of other customer sites are not affected.|
|Service usage metrics||Yes|
|Metrics types||Service uptime and helpdesk metrics will be presented by your account manager at quarterly account reviews. Any feedback submitted from users via the 'Feedback' button will also be reviewed.|
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Users can run system reports and export their data to excel. All system data is available in this way. In addition all users also have access to our Business Intelligence tool, CF Analytics. CF Analytics has a number of pre built dashboards available and a 'build you own' capability for users to define how their specific dashboards appear.|
|Data export formats||
|Other data export formats||Excel|
|Data import formats||
|Other data import formats||Excel|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||Legacy SSL and TLS (under version 1.2)|
Availability and resilience
Curtis Fitch endeavours to maintain the software uptime at 99.5%
measured over a 3 month period.
|Approach to resilience||Our hosting infrastructure is design within a private cloud using a web application firewall to protect data with the network segment. Hypervisors manage the servers and the infrastructure is high availability and load balanced. This design has been created in partnership with Rackspace UK who we work under and intensive support plan.|
|Outage reporting||This would be reported directly to the customer. We would firstly report via telephone and follow up by email.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||Every user is given an access level upon creation. This restricts the access rights of the user. Additionally, there are also privacy restrictions that can be applied to certain parts of the site to stop any unauthorised access.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||10/12/2015|
|What the ISO/IEC 27001 doesn’t cover||
The Information Security Management System (ISMS) applies to the provision of software as a service and its supported activities to internal and external customers of Curtis Fitch in accordance with the ISMS Statement of Applicability dated 03-08-2015.
The scope detail extends to:
Curtis Fitch Employees & Assigned Assets. Curtis Fitch Office Premises & their contents. Product application source code. Software development lifecycle. Internal IT systems (email & network). Network access controls around client data. Applicable legal, contractual and regulatory requirements. Interested Parties.
Third party suppliers who provide key services to Curtis Fitch reside in the boundary of the scope are subject to third party supplier assessments. Supplier risk ratings are stored in the Curtis Fitch Third Party Supplier Assessment Tool. These third parties can provide software, hardware of physical controls to protect information used by Curtis Fitch and its customers.
One control of ISO 27001:2013 has been omitted which is 'Outsourced Development'.
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||No|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Curtis Fitch are ISO 27001 certified and adhere to our policies and procedure created within this ISMS. We are audited externally every year by the BSI.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||At Curtis Fitch all new software development is subject to a QA and testing process. This is then penetration tested before it is rolled out to a new software version to ensure the changes are assessed for potential security impact.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Curtis Fitch woks with Veracode to provide SaST and DaST coverage of the CFSuite product. They also provide best practice advice and industry knowledge and awareness on security vulnerabilities.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
For threat detection and prevention, our intensive support level agreement with our Service Provider RackSpace UK, a team operates 24/7 tracking online threats that could have an impact on our service.
We have an IDS and IPS hardware service in place that our Service Provider also manages. Threats and access attempts are rated and we are advised if and when action is taken. Incidents are dealt with immediately by the Service Provider, at Curtis Fitch we only get involved if intervention is required. This typically happens as soon as it's logged.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||At Curtis Fitch we do follow a pre-defined process for incident management. Users will either call our support desk or their account manager to report an incident. Once recorded the incident is given a priority status of critical, high, medium or low. For any critical incidents, such as data loss, a developer will be allocated immediately to investigate the incident. Once fixed and tested the account manager will work with the customer to get the fix patched onto their site. An incident report will then be written and sent across to the customer.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£2000 per licence per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||Potential customers are given access to their own branded trial site. We will agree a time period for the potential customer to use this. They will have access to all of the features which would be available in a paid licence.|
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|