Firefly Online Limited

Local Supply Chain

Supplier Relationship Management software for Public Sector organisations who manage construction related services including frameworks, pipelines, supply chains, approved lists, assessments, projects, procurements & performance. Focus on engaging 'local' suppliers & creating a fair & level playing field for SME's who wish to engage with Public Sector construction related spend.

Features

• Framework Management
• Project Management
• E-procurement (Pipeline, EOI, ITT, Sealed Bids, Awards & Feedback)
• Supply Chain Management
• Supplier engagement (SMEs, Micro, Social Enterprise etc)
• Tracking local spend & engaging local markets
• Market Intelligence
• Advertising pipeline & work opportunities
• Supplier performance management
• Microsoft Azure Cloud based software

Benefits

• Transparency across frameworks, projects, procurement and supply chain
• Improved collaboration across business units, teams and colleagues
• Enhanced supplier intelligence
• Creates a 'fair & level' playing field for SMEs
• Improved Governance, transparency & auditability
• Oversight & control over projects & procurement activities
• Reduces duplication & paperwork
• Removes barriers for SMEs wishing to engage with Public Sector
• Boosting local spend with local suppliers, driving economic benefits
• Streamlines internal & external processes

£12,500 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@localsupplychain.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

135098624833985

Contact

Daniel Botherway
0800 197 6958
g-cloud@localsupplychain.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements:
  • Internet Connection
  • Website Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Mon - Fri during Working Hours (09:00 - 17:00) our average response rates are under 2 hours (excluding bank holidays); ; Mon - Fri outside of working hours we respond the next working day.; ; Sat - Sun we respond the next working day
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: We have not yet carried out chat testing with assistive technology users. ; We use Zendesk for providing online customer service and Zendesk are WCAG 2.1 compliant.
• Onsite support: Yes, at extra cost
• Support levels: Firefly-Online has a support help-desk service (Zendesk) that provides support for all user groups. We provide all of our clients with a Service Level Agreement which details the multiple support routes we offer, the response and resolution times.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We initially provide onsite training followed by online training sessions, which is sufficient in most cases. If users require additional training we can provide onsite or online training.; We also have a full set of video user guides to help users with any queries, and knowledge based articles & online help for further information.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Users can contact us and we will ensure that all of our clients data is extracted in a suitable format if required.
• End-of-contract process: Following a 28 day termination notice, we will terminate any licences associated with the organisation and terminate all user access within the organisation. We will not terminate 3rd party access from those suppliers engaged by our client as they may also be engaged with other clients.; At the end of a contract we will provide a complete data extraction of all data which is owned by our clients. If a data extraction is required in a non standard format or via an API there will be an additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The design is responsive so the application resizes to optimise the user experience and functionality dependent on the device being used.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: The following areas of our system can be customised:; Frameworks, Supplier Assessment Templates, Project KPIs, Performance Templates & Branding - customised in our database by Firefly-Online. ; Supplier Labels, Users & Roles - customised via our front end solution by clients.

Scaling

• Independence of resources: At our monthly ISMS Committee we focus on confidentiality, availability and integrity. One aspect of our focus on availability is to review resource planning requirements based on current and historic usage, and pipeline management. Our cloud provider offers auto scaling which enables our platform to automatically adjust resources based on demand. Also, we regularly garner customer feedback on platform performance to ensure our service meets our customers expectations.

Analytics

• Service usage metrics: Yes
• Metrics types: Analytics & Metrics are delivered through the clients internal dashboards.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Clients can contact our support team via e-mail who will ensure all of their data is exported within 28 days.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide our clients with our standard SLA which targets us at 99.9% service availability.; Credit notes are issued if our service levels fail to meet our SLA. We can also offer bespoke SLAs on a client by client basis if required.
• Approach to resilience: Our software is hosted in the Microsoft Azure Cloud which generates 6 back ups of data across two separate data centers, and Microsoft guarantee 99.9% availability.
• Outage reporting: Our service desk management team will have designated contact details for customers under contract. We will provide timely updates to all customers and we provide detailed information on the current status on updates and outages. Customers are also able to track issues via our helpdesk.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Role based security per user account. Management and Support personnel have no access to clients individual accounts.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 05/06/2021
• What the ISO/IEC 27001 doesn’t cover: 3rd Party Information Security Management
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have our own Information Security Management System (ISMS) which we use for all Information Security Policies and Processes to ensure we maintain and improve Security Levels. This system is also used to ensure we meet and exceed all ISO 27001 expectations. There are a wide range of policies and processes included in here. Some of which are Mandatory in order to maintain our ISO 27001 Accreditation and others which are introduced by us as a business to increase security policies and practice.; Microsoft Azure also have a Security Management Program which enables Microsoft to Track, Monitor, Maintain, Evaluate and Improve Information Security from their part as a third party supplier of Firefly-Online.; Mircosofts ISMS Informaiton can be found here https://www.microsoft.com/en-us/TrustCenter/Compliance/ISO-IEC-27001 and Firefly-Online can provide complete details upon request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Upon receiving a request, we put together a business case and conduct a data protection impact assessment. This is then reviewed by the senior management team who will either authorise, reject or require additional clarification. Upon authorisation, the system architect will provide a detailed plan and review the impact assessments. This will then be passed to the project team for implementation. Once changes are made, detailed testing will be conducted before release to our live environments.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We utilise Microsofts Azure patch management process to update our platform and software. Within 12 hours of release of Common Vulnerability Exploits, updates are deployed across the estate. We also regularly monitor news feeds for exploits that impact our environment and deploy defensive strategies to mitigate impact of vulnerabilities until patch is publicly available and deployed.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We utilise Microsofts Security Centre to monitor activity within our network and deploy additional monitoring within the application. Alerts are sent to our Development Director who is responsible for incident management. When a compromise is identified our incident management plan is put into force to mitigate/resolve any issues discovered. We will review all alerts within 60 minutes of notification.
• Incident management type: Supplier-defined controls
• Incident management approach: We have developed a playbook for common events and actions required for each event. Events can be reported via automated monitoring systems, staff identification and external customers. Once an event is reported our Development Director is responsible for triage root cause analysis and returning service to normal conditions. All incidents are reviewed by the senior management team within the monthly ISMS meetings or before if required.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Local Supply Chain removes the barriers to entry for local, smaller organisations to access, bid for and win opportunities for major construction projects. By opening up these opportunities to local contractors, Local Supply Chain provides tier 1 contractors with access to a wider supply chain. This gives tier 1 contractors the opportunity to create more diverse and resilient supply chains for their construction projects. With clients having full transparency this encourages tier 1 contracts to engage local organisations which will benefit and stimulate the local economy, demonstrating to clients that tier 1 contractors are supporting their clients local communities.

Pricing

• Price: £12,500 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@localsupplychain.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.