NQC Ltd

Supplier Due Diligence & Compliance Assessments

NQC's Supplier Due Diligence & Compliance Assessment solution offers organisations a comprehensive approach to managing supplier risks and ensuring compliance across their supply chains. Our solution leverages dynamic assessments, addressing regulatory, ethical and environmental considerations, providing actionable insights and remediation plans to improve performance and mitigate risks effectively.

Features

• Deploy dynamic supplier due diligence assessments from a library
• Customise assessment criteria, questions, and scoring methodologies
• Identify areas of non-compliance and recommend actionable steps for remediation
• Be alerted to risk and deviations from compliance standards
• Segment and analyse supplier assessment data based on various criteria
• Identify key findings, trends, and actionable insights
• Efficient and structured method to collect third-party compliance information
• Red-Amber-Green scorecards produced of supplier risk analysis
• Aggregated supplier assessment analysis via easy-to-use dashboards

Benefits

• Identify and manage third-party risk across numerous compliance themes
• Enable structured risk reporting with minimal resources
• Support continuous risk management performance improvement in the supply chain
• Flag critical risks in supply chain and address them quickly
• Provide guidance on key compliance issues to suppliers
• Ensure compliance with regulatory requirements, legislative mandates and industry standards
• Customise supplier due diligence assessments to meet your unique requirements
• Uphold your commitment to responsible sourcing, enhancing you brand reputation
• Make informed, data driven decisions about supplier risk management priorities
• Empower your suppliers to improve performance and address risk

£30,000 a licence a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@nqc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

405007467302004

Contact

Sales
0161 393 4191
sales@nqc.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: Web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide a Support Centre for 1st line support with additional technical resources for 2nd and 3rd line as required. Standard support times are 9am to 5pm Monday to Friday. Support response times are within 5 working days.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: We provide a Support Centre for 1st line support with additional technical resources for 2nd and 3rd line as required. Standard UK hours of service are offered with English speaking staff and this cost is incorporated into our SaaS licence fees. Additional hours and languages can be included as required at an additional cost. Users can have access to a Client Delivery Executive and a Client Delivery Manager as required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Users are allocated a Client Delivery Executive who takes them through a detailed on-boarding process. This involves user set up and online training alongside access to user guides and standard template documents.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: This is undertaken by our technical staff and shared securely with the user in an agreed format.
• End-of-contract process: Users will have the ability to extract relevant data from the system either via CSV or PDF. NQC are able to provide a bulk download of data at an additional cost. Licences are removed from the Service for the Users and any personal data is also removed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None - formatting designed to redraw when in mobile mode to make it easier to view, but content remains the same.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Web browser
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Testing delivered in line with 18F Accessibility Guide.
• API: Yes
• What users can and can't do using the API: Full documentation is available for the various APIs offered via the Service. The APIs enable users to query and extract a range of data sets from summary data to full responses. A range of standard calls have been created that provide users with the flexibility to extract the information they require.
• API documentation: Yes
• API documentation formats:
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users are able to customise their dashboards to view relevant data to their roles/requirements. This customisation is configurable by the user within their online account. Additional more complex customisation can be undertaken by NQC on behalf of users, for example, bespoke landing pages and content can be created as required.

Scaling

• Independence of resources: Load balancing and compartmentalisation of virtual machines ensures users are able to receive a reliable and consistent service.

Analytics

• Service usage metrics: Yes
• Metrics types: Standard metrics relate to Service consumption and will differ depending on the chosen service options. The metrics will typically include user logins, supplier completions, suppliers contacted etc. When supplier risk scores are available, further risk analysis is also provided as required via the Client Delivery Executive.
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users can export their data in bulk via CSV or in individual PDF report format as required.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: XML

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Our Service has an uptime target of 99% during peak hours – set between 8am and 10pm GMT. Outside of peak hours the application has an uptime target of 98%. Uptime covers all features of the NQC system being accessible as designed to the end-user.
• Approach to resilience: Available on Request
• Outage reporting: Outages are flagged via a public dashboard and via email notification to users.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Both management interfaces and support channels are controlled via public key exchange and IP locking.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus Isoqar
• ISO/IEC 27001 accreditation date: 01/03/2011
• What the ISO/IEC 27001 doesn’t cover: Not applicable - the design, application and management of all our software solutions is included in the Scope/Statement of Applicability.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The organisation is ISO27001 certified and have an infosec policy which has been approved by the Board and is reviewed on a regular basis. Staff are training on infosec as part of their induction and then at regular intervals thereafter. Non-adherence to the policy is a disciplinary offence and is strictly enforced.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes to any information service, system or resource used by or on behalf of NQC are required to be authorised through the Change Management process. Changes are controlled by a CAB (Change Advisory Board) so all aspects of a change can be discussed and analysed to assess its impact on each area of NQC information systems. Impact or risk assessment take into account information security, availability, capacity and performance of existing production systems.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Identified vulnerabilities for organisational assets are prioritised by HIGH, MEDIUM and LOW and the organisation has established the following timeline requirements for reacting to notifications of relevant vulnerabilities: HIGH = 2 hours, MEDIUM = 1 Week and LOW = 1 Month. All vulnerabilities that fall into the identify classifications will first be assessed for seriousness and required controls such as patching; turning off/removing services affected by the vulnerability; adapting or adding access controls; increased monitoring; awareness raising will be considered. The required controls will be actioned through the change management procedure. All high vulnerabilities are assessed by the CAB.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Any events or weaknesses detected through the monitoring of access logs, the use of alert services and the review of third party management information by the relevant asset/relationship owner fall within the scope of the protective monitoring procedure. The Information Security Manager identifies a course of action and timescale to correct any potential issue, dependent upon the effect the issue is likely to have and to what degree, for example isolation/suspension of the relevant facilities/service is implemented, as deemed necessary. The actions will rectify and prevent recurrence of the issue.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Management responsibilities and procedures have been established to ensure a quick, effective and orderly response to information security incidents that ensures appropriate corrective or preventative actions, restores normal operations as quickly as possible, and ensures that improvement opportunities are identified and acted upon. Employees or third party who becomes aware of an issue which does not meet the organisation’s defined approach and standards, or which has the potential for such an adverse effect, raises this immediately to the Information Security Manager either verbally or via email.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  NQC recognises that our activities impact upon the environment through our contracted service provision, our routine internal operations and through our influence and effects on the wider community. We acknowledge a responsibility for, and a commitment to, protection of the environment at all levels. NQC will work towards net zero greenhouse gas emissions both in the performance of service delivered under GCloud 14 and across the organisation as a whole. As a result of our experience and expertise, NQC is well aware of the potential risks and benefits that technology and SaaS companies and big data providers can have on the environment. The delivery of our services involves the use of cloud infrastructure. Any cloud infrastructure provision that is involved in housing the services will impact on the carbon footprint associated with the contract. It is for reasons such as these that NQC takes its environmental impact seriously and is taking active measures to make sure our development, hosting and operational services are as sustainable as possible. As a city centre based organisation, NQC is having a positive impact on the environment through our location alone. More than 95% of our workforce chooses to walk, cycle or use public transport to commute to the office, on those days when they want to benefit from in person collaboration.

  Covid-19 recovery

  NQC is committed to maintaining and improving the health and wellbeing of our workforce and we firmly believe that at the core of positive employee health and wellbeing is an organisational culture where people are doing purposeful work, in a creative and open environment, contributing to a larger organisation mission, and being treated with respect and dignity. The actions that we have taken and will continue to take to support health and wellbeing, including physical and mental health, of our people are closely aligned to the six standards as set out in the Mental Health at Work Commitment.; A key attribute of our flexible working arrangements includes our hybrid working policy which enables employees, in collaboration with their Line Managers, the opportunity to work from either their home or the NQC office, enabling them to choose to work in the most effective way possible. Employees also have flexibility around start and end times and when and how long they take for a lunch break. We recognise that flexible working also provides equality of opportunity, by giving employees greater flexibility and control in their working life. ; More than 95% of our workforce chooses to walk, cycle or use public transport to commute to the office, on those days when they want to benefit from in person collaboration. Our offices include secure bike storage and showers to encourage more employees to walk or cycle into the office.

  Tackling economic inequality

  As an organisation operating within the software and technology industry, we are acutely conscious of the inequalities that exist within the technology industry’s employment workplace. We believe that diversity is key to our advantage as we’re able to bring a wide range of skills, experiences and perspectives to ensure our business is representative of the broad range of customers and suppliers that we work and engage with. Our equality and diversity policy forms a key part of our Employee handbook which each employee is given on their first day with the organisation. Managers also undertake annual equality refresher training which focuses on unconscious bias and equality in the recruitment process, as well as broader topics regarding equality and diversity. This focus upon equality and diversity is central to our People strategy. We are proud of our success in this respect and we are happy to report that our organisation has a healthy 46:54 ratio of women to men in our workforce. Further to this, 67% of our management team are female along with 30% of our Product Development & Assurance team. Additionally, over 30% of our total employee group comes from an ethnic minority background.

  Equal opportunity

  We recognise that work has a significant impact on the quality of lives of our people and that we have an important role to play as an employer in ensuring that everyone at NQC benefits from high quality work. Achieving a maximum distribution of high-skilled people within the contract workforce delivers benefits to NQC and our customers. NQC also recognises the importance of quality of work and how this contributes towards a workforce that is motivated, engaged and empowered. Equal progression We’re committed to ensuring that all employees, including those in the contract workforce, have scope to develop and progress equally within NQC. Our learning and development programme is part of a longer term vision to increase the skills within our workforce so that our people can gain transferable skills and specialist skills to develop and enhance their prospects within NQC and beyond. Flexibility Our commitment to workplace equality and inclusive culture is embedded within our flexible working policy which has been designed to allow our people to manage their time effectively, and enjoy a work life balance. Fair and equal pay Whilst NQC, as an SME, is not required to submit our gender pay gap data, in acknowledgement of the diversity of our employee group and their needs, we conduct annual benefits and equal pay reviews as part of our annual HR processes.

  Wellbeing

  NQC is committed to maintaining and improving the health and wellbeing of our workforce and we firmly believe that at the core of positive employee health and wellbeing is an organisational culture where people are doing purposeful work, in a creative and open environment, contributing to a larger organisation mission, and being treated with respect and dignity. Prioritising mental health Whilst responsibility for employee wellbeing is organisation wide, senior ownership and responsibility lies with NQC’s Head of People, who routinely reports on progress of our people’s well being activities to NQC’s Board of Directors. Work design and organisation culture We will always strive to maintain an organisational culture where people are doing purposeful work, in a creative and open environment, contributing to NQC’s mission, and being treated with respect and dignity. Promoting mental health Mental health and employee wellbeing is a key focus for both NQC's People and CSR strategies and initiatives and we are committed to a culture that promotes openness and understanding when it comes to mental health. We encourage all employees to come to us with concerns around their mental health at work as we recognise the importance of open conversation about mental health. Increasing confidence and capability NQC has long since invested in and implemented programmes and activity streams to support health and wellbeing for many years, generally going above and beyond what might be expected from a small business. Tools and support We annually review our employee benefits programme to ensure that we are fully supporting our employees with their mental and physical health. We have introduced an employee assistance programme, which provides employees with access to a virtual 24/7 GP, a confidential helpline to assist with any concerns around health, legal or financial wellbeing topics, as well as the additional benefit of counselling sessions.

Pricing

• Price: £30,000 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@nqc.com. Tell them what format you need. It will help if you say what assistive technology you use.