Brooklyn Supply Chain Solutions Ltd

Vendor / Supply Chain Assurance: Software as a Service

Brooklyn Vendor Assurance is the first enterprise business platform designed to support the supplier relationship management function. Our mission is to help procurement organisations maximise value for money across their third party supplier ecosystem. It takes a new, lightweight approach to drive management, scoring, negotiation and collaboration between vendors effectively.


  • Authority Responsibility tracking with action and mitigation planning.
  • Key Performance Indicators against your suppliers and supply relationship managers.
  • Scheduled and organised review meetings on specific vendor progress.
  • Automated and real-time scoring, reporting and auditing.
  • Easily tailor of the solution to Procurement guidance and policy.
  • Continuous Audit: audit trails generated to track vendor performance.
  • Integrated Risk Register with full vendor segmentation.
  • Fully digitized policy-driven vendor management framework.
  • Activity Pipeline to capture new initiatives brought forward by suppliers.
  • Automated processing of SLA performance data for exception reporting.


  • Create, roll out, govern a vendor-management Policy.
  • Very user-friendly and easy to build and use immediately.
  • Automate and track internal and external adherence to that Policy.
  • 75% admin reduction per SRM: Interactions, tracking, minuting, meeting, auditing.
  • 3x increased SRM coverage in 6 months.
  • 10x increased governance and consistency.
  • Powerful guidance regarding Risk mitigation and contract controls.
  • Score and govern all aspects of SRM, automatically and passively.
  • Demonstrable risk mitigation and audit trails subject to vendor relations.
  • Drive innovation and measure results via a guided approach.


£5000 per licence per month

  • Education pricing available

Service documents


G-Cloud 11

Service ID

9 8 5 1 6 3 7 9 5 7 6 3 5 1 0


Brooklyn Supply Chain Solutions Ltd

Jesse Lee

+44 (0) 7375 379 393

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None beyond service must be delivered through modern, common browsers running Javascript.
System requirements Service must be delivered through modern, common browsers running Javascript.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within two hours during GMT business hours, otherwise next business day.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Accessible in-app, in the browser.
Web chat accessibility testing None yet.
Onsite support Yes, at extra cost
Support levels A Premium support package exists.
T&E is available for specialized support, configuration, or build needs.
Account managers are not yet available across accounts.
Cloud support engineers are available on T&E basis, availability permitting, and for support purposes.
Prices and availability can be provided on inquiry but are not fixed enough to articulate here.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Brooklyn Vendor Assurance provides:

- Onsite training for marquis customers
- Offline / remote training
- Onboarding guidance
- Best practices resource kits and content
- Customer Success
- Customer Support
- Documentation
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Several methods exist:
User interaction with all history is all available for download.
Summary reports, all downloadable.
Meeting minutes and risk register and action register, all available.
In general, the user would pull data as desired.
End-of-contract process Return of all customer data as requested by the customer, if any in possession outside of the application.
BrooklynVA resources can pull data at T&E rates.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API The API allows for several types of data exchange:

Data input for refreshing data tables. Here the application expects tabular data of fixed type. Data exchange via modern web methods including JSON, web services, SOAP, etc.

Data upload of documents. Any generic document can be posted, like a file share. The post expects metadata of certain fields to specify the location of the document in the application.

Email ingestion. Users get two unique email address, and posting of data and content can happen that way. Users can upload documents via email, and they can upload Management Information (MI) which gets parsed and actioned.

Direct email link. Users can upload links to any URL and connect to desired systems that way, in text fields, as a lightweight alternative to full API integration.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The solution is highly customizable at several points. Major areas include:

- Creation and maintenance of a vendor review policy.
- Policy and framework for segmenting vendors.
- Filtering relevant views of suppliers and all attached parties and obligations.
- Timeline views of past and future Supplier events, such as reviews.
- Coming soon: role creation, for different classes of users.


Independence of resources Amazon Web Services (AWS), London Data Center, hosts the application. The application is architected and stress tested to support very high usage. The application is entirely serverless, leveraging AWS Lambda capability, in a very secure virtual private cloud (VPC) container architecture.
More details available on request.


Service usage metrics Yes
Metrics types User metrics as captured by Amazon Web Services, Pinpoint service.
Event-based logging, where events are tagged and captured in an action log for reporting purposes.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Manual search and download.
Modern web methods all supported via API engine.
Data export formats
  • CSV
  • Other
Other data export formats Document posted are retrievable in original format.
Data import formats
  • CSV
  • Other
Other data import formats Virtually any

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability This is not yet standardized for the marketplace generally.
Customers do get an attractive recovery point objective (RPO) and recovery time objective (RTO).
Approach to resilience This is available upon request.
Refer to AWS public documentation which is extensively available on this topic.
Outage reporting Customer Success Manager (CSM) proactively makes the customer aware.
CSM made aware through internal alerting services.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels This is specified in detail in GDPR obligation list and actions. Basically, a named list contains all persons with any access to customer information. Only most senior support is on that list. Environments for support are seeded with test data for purposes of handling support issues by individuals not named on that list.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • The company is proceeding towards its first ISO27001 certification.
  • AWS web Infrastructure, replete with most relevant and modern certifications

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach The company is on a pathway to ISO27001 certification. Certain controls are in place, others are on the way, towards full ISO27001 support.
Company CISO is a deep expert in this field and is leading the certification journey internally.
Information security policies and processes Combination of CTO-lead processes for technical components related to the application and these follow the AWS “shared responsibility” security model, posted online by AWS. Also the CISO-led processes for all business controls, for which ISO27001 is the standard. More information available on request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The cloud hosting and Platform as a Service (PaaS) is entirely managed by AWS.
The application level and business level components and services are change-managed through an internal proprietary approach that combines best practices of Agile and Kanban methods and application of in-house CISO-sponsored processes and methods.
Third party penetration testing includes access to source code and all records.
Vulnerability management type Supplier-defined controls
Vulnerability management approach This is proprietary. Information available upon request.
Protective monitoring type Undisclosed
Protective monitoring approach Again proprietary. Incidents get immediate response and notifications are done in compliance with GDPR and other relevant legal frameworks.
Incident management type Supplier-defined controls
Incident management approach A pre-defined process exists. Users report incidents via phone, email, or online submission.
Incident reports available upon request or provided on discretion of the CSM.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5000 per licence per month
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑