Vendor / Supply Chain Assurance: Software as a Service
Brooklyn Vendor Assurance is the first enterprise business platform designed to support the supplier relationship management function. Our mission is to help procurement organisations maximise value for money across their third party supplier ecosystem. It takes a new, lightweight approach to drive management, scoring, negotiation and collaboration between vendors effectively.
- Authority Responsibility tracking with action and mitigation planning.
- Key Performance Indicators against your suppliers and supply relationship managers.
- Scheduled and organised review meetings on specific vendor progress.
- Automated and real-time scoring, reporting and auditing.
- Easily tailor of the solution to Procurement guidance and policy.
- Continuous Audit: audit trails generated to track vendor performance.
- Integrated Risk Register with full vendor segmentation.
- Fully digitized policy-driven vendor management framework.
- Activity Pipeline to capture new initiatives brought forward by suppliers.
- Automated processing of SLA performance data for exception reporting.
- Create, roll out, govern a vendor-management Policy.
- Very user-friendly and easy to build and use immediately.
- Automate and track internal and external adherence to that Policy.
- 75% admin reduction per SRM: Interactions, tracking, minuting, meeting, auditing.
- 3x increased SRM coverage in 6 months.
- 10x increased governance and consistency.
- Powerful guidance regarding Risk mitigation and contract controls.
- Score and govern all aspects of SRM, automatically and passively.
- Demonstrable risk mitigation and audit trails subject to vendor relations.
- Drive innovation and measure results via a guided approach.
£5000 per licence per month
- Education pricing available
9 8 5 1 6 3 7 9 5 7 6 3 5 1 0
Brooklyn Supply Chain Solutions Ltd
+44 (0) 7375 379 393
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within two hours during GMT business hours, otherwise next business day.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Yes, at an extra cost|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||Accessible in-app, in the browser.|
|Web chat accessibility testing||None yet.|
|Onsite support||Yes, at extra cost|
A Premium support package exists.
T&E is available for specialized support, configuration, or build needs.
Account managers are not yet available across accounts.
Cloud support engineers are available on T&E basis, availability permitting, and for support purposes.
Prices and availability can be provided on inquiry but are not fixed enough to articulate here.
|Support available to third parties||No|
Onboarding and offboarding
Brooklyn Vendor Assurance provides:
- Onsite training for marquis customers
- Offline / remote training
- Onboarding guidance
- Best practices resource kits and content
- Customer Success
- Customer Support
|End-of-contract data extraction||
Several methods exist:
User interaction with all history is all available for download.
Summary reports, all downloadable.
Meeting minutes and risk register and action register, all available.
In general, the user would pull data as desired.
Return of all customer data as requested by the customer, if any in possession outside of the application.
BrooklynVA resources can pull data at T&E rates.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|What users can and can't do using the API||
The API allows for several types of data exchange:
Data input for refreshing data tables. Here the application expects tabular data of fixed type. Data exchange via modern web methods including JSON, web services, SOAP, etc.
Data upload of documents. Any generic document can be posted, like a file share. The post expects metadata of certain fields to specify the location of the document in the application.
Email ingestion. Users get two unique email address, and posting of data and content can happen that way. Users can upload documents via email, and they can upload Management Information (MI) which gets parsed and actioned.
Direct email link. Users can upload links to any URL and connect to desired systems that way, in text fields, as a lightweight alternative to full API integration.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
The solution is highly customizable at several points. Major areas include:
- Creation and maintenance of a vendor review policy.
- Policy and framework for segmenting vendors.
- Filtering relevant views of suppliers and all attached parties and obligations.
- Timeline views of past and future Supplier events, such as reviews.
- Coming soon: role creation, for different classes of users.
|Independence of resources||
Amazon Web Services (AWS), London Data Center, hosts the application. The application is architected and stress tested to support very high usage. The application is entirely serverless, leveraging AWS Lambda capability, in a very secure virtual private cloud (VPC) container architecture.
More details available on request.
|Service usage metrics||Yes|
User metrics as captured by Amazon Web Services, Pinpoint service.
Event-based logging, where events are tagged and captured in an action log for reporting purposes.
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||In-house destruction process|
Data importing and exporting
|Data export approach||
Manual search and download.
Modern web methods all supported via API engine.
|Data export formats||
|Other data export formats||Document posted are retrievable in original format.|
|Data import formats||
|Other data import formats||Virtually any|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
This is not yet standardized for the marketplace generally.
Customers do get an attractive recovery point objective (RPO) and recovery time objective (RTO).
|Approach to resilience||
This is available upon request.
Refer to AWS public documentation which is extensively available on this topic.
Customer Success Manager (CSM) proactively makes the customer aware.
CSM made aware through internal alerting services.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||This is specified in detail in GDPR obligation list and actions. Basically, a named list contains all persons with any access to customer information. Only most senior support is on that list. Environments for support are seeded with test data for purposes of handling support issues by individuals not named on that list.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||You control when users can access audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||You control when users can access audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
The company is on a pathway to ISO27001 certification. Certain controls are in place, others are on the way, towards full ISO27001 support.
Company CISO is a deep expert in this field and is leading the certification journey internally.
|Information security policies and processes||Combination of CTO-lead processes for technical components related to the application and these follow the AWS “shared responsibility” security model, posted online by AWS. Also the CISO-led processes for all business controls, for which ISO27001 is the standard. More information available on request.|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The cloud hosting and Platform as a Service (PaaS) is entirely managed by AWS.
The application level and business level components and services are change-managed through an internal proprietary approach that combines best practices of Agile and Kanban methods and application of in-house CISO-sponsored processes and methods.
Third party penetration testing includes access to source code and all records.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||This is proprietary. Information available upon request.|
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||Again proprietary. Incidents get immediate response and notifications are done in compliance with GDPR and other relevant legal frameworks.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
A pre-defined process exists. Users report incidents via phone, email, or online submission.
Incident reports available upon request or provided on discretion of the CSM.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£5000 per licence per month|
|Discount for educational organisations||Yes|
|Free trial available||No|