CMap PSA (Professional Services Automation)

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: No
System requirements: 2 GHz Processor Multicore Intel/AMD processor

2 GB RAM or greater

1280 x 720 Resolution and above

Network and Internet connection

MS Windows 7 Operating system and above

Web Browser or either Chrome, Edge, Safari, Firefox

Microsoft Office 2007 or newer

User support

Email or online ticketing support: Email or online ticketing
Support response times: Responses are according to our SLA with response times linked to severity and / or impact on client operations. Responses are commonly within 6 hours.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: We use a web chat bot to direct people to the right area
Web chat accessibility testing: Internal testing only
Onsite support: Yes, at extra cost
Support levels: We assign priority levels into 3 categories of issues based on their impact, for example complete system fatigue affecting all users would be a Priority 1 issue, whereas a minor, non-damaging data fix would be a priority 3. The following is the SLA against the 3 categories:
"Priority One: Investigate within 2 business hours", "Priority Two: Investigate within 1 business day", "Priority Three: Investigate within 2 business days".

Unless otherwise detailed in the customer license, contract support will be provided from 08:00-22:00 BST Monday - Friday.

CMap support is included in the annual software license contract. Support can be provided outside of the standard hours by prior arrangement. Weekday out-of-ours support and weekend support is also available by prior arrangement but will be subject to additional charges.

We will use the following methods to provide support:
-Telephone
-Email
-Via remote access tools (where available)

All issues will be resolved in a "best endeavour" basis.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: We adopt a phased approach to our CMap onboarding projects.

Phase 0 - Kick Off includes a kick off call to introduce your CMap Onboarding Team; an Orientation Call to familiarise the project team with the end to end functionality in CMap; and then the CMap instance will be created.

Phase 1 - 4 are then focused on the core modules of CMap (see below). Within each phase, a Process Workshop will be held to discuss the processes that will be adopted to maximise the impact of CMap; a data import will be performed to migrate data for your live projects into CMap; end-user training sessions; and finally a Checkpoint review to confirm the objectives for the phase have been completed. Each of these steps are repeated for each of the four phases:

Phase 1 - Project Set Up
Phase 2 - Time & Expenses
Phase 3 - Finance
Phase 4 - Resource & Reporting.

Clients will have the option to launch each area of CMap during the Checkpoint reviews, or alternatively wait and have a "big bang" launch at the end of Phase 3/4 once the key areas of CMap have been implemented.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: We provide clients with access to a CMap feature called DRS (Direct Reporting Service) for a period of time (free of charge). The client can then extract all their data and transfer it to Excel.
End-of-contract process: As CMap is charged on an annual fee (unless otherwise agreed). As standard, we require written "notification of termination" no later than 60 days prior to the annual contract renewal date. Should this not occur then the license automatically renews for the agreed contract period.

Using the service

Web browser interface: Yes
Supported browsers: Internet Explorer 11

Microsoft Edge

Firefox

Chrome

Safari

Opera
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: The 'CMap Go' app puts popular functionality from the web application in the palm of your hand, wherever you are, on iOS and Android platforms. I.e. users can download for use on the most popular smartphone and tablet devices. Features of our native app's include timesheet submission, expense claim submission, contacts and colleague directory, CRM activities e.g. sales follow up prompts and time off requests only.
Service interface: No
User support accessibility: None or don’t know
API: Yes
What users can and can't do using the API: All setup of CMap is done through our internal development and customer service teams, so no configuration changes can be made via the API.

Via the API, users can make changes to contacts, companies, timesheet entries, holiday requests and basic project details.

Not all in-app functions are available via the API, though the API functionality mimics the available functions used in the CMAP mobile and Outlook apps.

The API is constantly being developed and improved.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: CMap has many (20+) optional modules which can turned on or off. Additionally within all modules are many configurable options allowing CMap to be mapped as closely as possible to your business processes.

Clients have choices on the number of modules used too... I.e. a single client can have multiple Job Costing modules, multiple Resourcing modules, various Reporting module choices, and many accounting integrations etc…

If new functionality is added (perhaps for a specific client, through CMap's community or direct product improvement) the updates/new features is available to any client. The end users are regularly notified (every 2 weeks) about new features and can then select whether they'd like it turned on or off.

Scaling

Independence of resources: CMap uses Microsoft Azure platform. As part of the platform it makes it easy to scale the infrastructure. It also has auto scaling built in.

Analytics

Service usage metrics: No

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Staff screening not performed
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach: Through DRS (Direct Reporting Service) into Excel.

We also have an option of an ODBC connection to the raw data. Connecting via this method enables suitably skilled users to extract the raw CMap data into any reporting tool or other software that accepts ODBC con-nections to report on and filter the data. You can also connect via this method with Excel.

Finally, we have a CMap REST API which enables programmatically access to the data held within CMap which is built on the widely used JSON framework.
Data export formats: CSV

Other
Other data export formats: Excel
Data import formats: CSV

Other
Other data import formats: Excel

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

Other
Other protection between networks: 256bit SSL
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: CMap utilizes the Microsoft Azure hosting framework for all client CMap data and passed ISO 2700 in March 2022. Full details of how Microsoft Azure protect their infrastructure can be found by visiting the following link;

https://www.microsoft.com/en-us/trustcenter/security/azure-security

In regards to the internal systems we employ at CMap we work closely with our IT partner Razorblue who support and maintain our internal network. They provide us with the following automated protections:

1. Anti-virus, regularly updated with latest threat database
2. Auto installation of security/vulnerability patches
3. Internal firewall and network protection to Cyber Essentials standard
4. Local admin control to ensure only approved applications are installed locally on company devices
Approach to resilience: Available on request
Outage reporting: Public status website

Identity and authentication

User authentication needed: Yes
User authentication: Username or password
Access restrictions in management interfaces and support channels: Restricted to only the people who require access
Access restriction testing frequency: At least once a year
Management access authentication: Username or password

Other
Description of management access authentication: IP Lock down

Audit information for users

Access to user activity audit information: Users contact the support team to get audit information
How long user audit data is stored for: Between 1 month and 6 months
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: Between 1 month and 6 months
How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: BSI
ISO/IEC 27001 accreditation date: 30/03/2022
What the ISO/IEC 27001 doesn’t cover: All controls are in scope
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Successfully passed ISO27001 in 2022

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: CMap use source control (GitHub) to track all code changes, this is complemented by the use of Trello which holds the details of each change, who made it and who QA it. All bugs are logged within Zendesk (our helpdesk system), these tickets are then linked back through to the details of the resolution also.

All changes to the software go through various planning stages. Early life product meeting, through to the technical planning. At each stage the design of the software is considered with security in mind.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: We assess potential threats by continuously monitoring known vulnerabilities. Patches are deployed the latest every 2 weeks.

We get information of potential threats from security related forums.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: CMap have derived substantial benefits by using the Microsoft Azure platform for the extensive monitoring and auditing we have available within the portal.

Once a compromise has been identified CMap will assess the severity and this will then determine the response. For critical issues, these are hotfixed and released as a priority. Other none critical issues are fed into the standard development sprints. Also depending on the type of issue we will look to inform all impacted parties on what the issue was and how this was resolved and what impact it may have had on that particular person.
Incident management type: Supplier-defined controls
Incident management approach: CMap have certain per-defined processes for common events, these are held within our helpdesk software (Zendesk) and used accordingly.

Users can report incidents via email, telephone or via the in app widget.

All issues are logged within our helpdesk system. This has an online portal where approved users can access to gain visibility over all open and closed issues.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change
Equal opportunity
Wellbeing

Fighting climate change

We annually report on our energy use, emissions and environmental policies through our ESG reporting. We offer hybrid working to help reduce travel emissions across the company, and our travel policy is focused on the use of public transport where possible to reduce emissions. We ensure we work with environmentally conscious suppliers and partners, and encourage a paperless business where possible. We have recently introduced company volunteering days to encourage support around environmental sustainability and awareness of climate change.

Equal opportunity

We promote this through our Equal Rights policy. Ensuring recruitment practices are with equal opportunity agents and candidates are offered reasonable adjustments throughout the process. We have working group within the business such as our People Forum to ensure religious holidays/disability awareness/gender equality are recognised and included.

Wellbeing

Annual Mental Health Awareness training for all employees plus more in-depth training for all Managers. Mental Health Week initiatives and activities yearly. 2 MHFA in the business, with 9 more being trained in 2024. We hold annual employee surveys to gauge wellbeing and host awareness sessions and activities throughout the year to encourage involvement and awareness.
We also offer a number of benefits to support with wellbeing, including private medical insurance, employee assistance program, remote GP’s and flexible working.

Pricing

Price: £150 to £850 a user a year
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: CMap offer a free Discovery Session (demonstration) and if there is interest, we would offer a Scoping meeting, and we may allow qualifying prospects access to a generic (un-configured) CMap for a pre-agreed and diarised period of time. Commonly 3-10 working days dependent on availability of an appropriate CMap version.

CMap PSA (Professional Services Automation)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

CMap PSA (Professional Services Automation)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents