Promote

Promote ESG

Our App empowers you to assess your supply chain using intuitive ESG scores.
We provide real-time, verified ESG data translating it into actionable business insights to support your decision-making.
We seamlessly connect your suppliers' ESG data with spend data, to identify risks, weaknesses, and optimize your supply chain performance effectively.

Features

• Verified environmental, social, and governance suppliers’ data translated into scores.
• Intuitive and customized ESG dashboards.
• Comprehensive ESG metrics list (ISO certifications, Prompt Payment, among others).
• Personalized weighting system to prioritize specific ESG criteria.
• Comparative analysis of spend data and ESG standards.
• Business Insights facilitating the identification of potential risks.
• Tracking of key supplier performance metrics.
• Integration with finance and procurement systems

Benefits

• Customized scoring tailored to user preferences, adaptable at any time.
• Verified data for accuracy and reliability.
• Capability to track specific spend categories and supplier performance.
• Valuable insights derived from spend data and suppliers' ESG performance.
• User-friendly dashboards for easy access and analysis.
• AI gathering of supply chain ESG data

£20,000 to £60,000 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@promote.consulting. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

410190132815843

Contact

Shaun James
0203 126 4395
info@promote.consulting

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: SAP Ariba
• Cloud deployment model: Public cloud
• Service constraints: Planned maintenance takes place outside of UK work hours and our solution offers a 95% up time.
• System requirements: Use of up to date internet browser from approved list

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Weekdays, 8am to 6pm within 24 hours.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Technical Account Manager - £1000/day
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Online training and documentation is provided for users. ; ; Our onboarding team will ensure that we map current spend data and transactional data formats.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All customer data is returned at the end of a contract using an encrypted file.
• End-of-contract process: No end of contract fees.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Simplified data visualizations on the mobile devices.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: No
• Customisation available: Yes
• Description of customisation: Customers can customize:; - Number of procurement category levels.; - ESG attributes to be monitored.

Scaling

• Independence of resources: We constantly monitor solution performance and demand with Application Performance Monitoring (APM) in place and the ability to scale the solution to meet demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users are able to request an export of their data. This will be provided using secure encrypted methods agreed with each client.
• Data export formats:
  • CSV
  • ODF
• Data import formats:
  • CSV
  • ODF

Data-in-transit protection

• Data protection between buyer and supplier networks: Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 95% solution availability during UK working hours, 9am to 6pm.
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Privileged users with enhanced access conduct their activity using separate accounts from those that they use for email and web-browsing. Additionally, 2-factor authentication in in place on all accounts.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: CSA CCM version 3.0
• Information security policies and processes: We have developed our suite of policies and processes including:; - Acceptable use ; - Network security ; - Data Management; - Access Control; - Password Management; - Remote access; - Incident response; - Security Awareness and training; ; We are currently in the process of obtaining IS0 27001 certification but adhere to leading practice policies, processes and controls. ; Each policy has an Owner responsible for the monitoring of the policy. Ownership of these individual policies is either by our Technical Lead or our Product Manager/Owner. They report directly to the Managing Director. ; ; Our Managing Director is the responsible officer and a review of policies and checks against adherence to the policy are discussed at quarterly Executive Board meetings.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We classify changes as either minor or major with change requests being approved by our product owner and technical lead, where the user and security impacts are assessed. Minor changes can be released as part of a 2-weekly release cycle, whereas major changes are planned out on an individual basis. ; All changes are modelled in our test environment, with a suitable test plan in place for the size and scale of the change. After successful completion of testing, changes can be promoted to the production environment. Production deployment is scheduled for out of hours and includes monitoring.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Threats are subject to a triage process and classified as fix (requires resolution due to negative impact if exploited), acknowledge (not to be resolved at present with a review date assigned) or investigate. ; ; Our policy is to update patches by default, ideally automatically. Any services where this is an exception are agreed and regularly reviewed to ensure that threats are monitored. ; We use a vulnerability scanning product to monitor potential risks and threats to the service. This is run on a monthly basis, with a review and action plan for each vulnerability identified.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We have a defined set of logs that are monitored, including host-based logging, authorisation and access attempts and administrative configuration changes. ; ; When a potential compromise is identified, we have a defined incident response plan and process in place with defined names and contacts for technical, legal and management resources. This is setup to work 24/7. The key stages of the plan include:; Analysis - understand the potential compromise to assess data and understand the level of impact. ; Contain - Activities to lower the impact; Remediate - Stop the incident; Recover - Return to BAU; Review - Assess and learn
• Incident management type: Supplier-defined controls
• Incident management approach: Users can report incidents by email, which is logged in the incident log which contains the name of the person, time and date reported, description and reference. ; On review, the incidents are categorised and prioritised. The user is provided with an email confirming their incident, prioritisation and expected resolution time. ; We have defined guides that cover common incident resolution, with templated emails and processes to resolved. All incidents are diagnosed, with escalation to technical or business teams and communication shared with the user at all interaction points.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  Through our Promote ESG solution, users will be able to access reliable data and insights that will help track suppliers performance regarding environmental practices such as reduction of greenhouse gas emissions. ; Users will be able to evaluate their supply chain against environmental targets such as the reduction carbon plans. ; Ultimately, we intend to influence customers, suppliers and communities to support and improve the environment.

  Tackling economic inequality

  The Promote ESG Software offers and incentivises innovation throughout the supply chain by offering meaningful insights about suppliers practices, what will increase our future client's supply chain resilience and economic capacity. ; ; As an example, our solution uses AI to identify if businesses have modern-slavery policies in place and reports on whether there has been a negative publicity event related to a breach of these policies. Our solution is designed to enable Public Sector buyers to be informed about their supply chains in line with the Social Value agenda.

  Equal opportunity

  The Promote ESG Software will also focus on social and governance targets. By evaluating social attributes such us gender pay gap, board of directors composition, and modern slavery policies we focus on the importance of tracking inequality and acting on equal payment across the supply chain.; ; Our solution is designed to enable Public Sector buyers to be informed about their supply chains in line with the Social Value agenda.

Pricing

• Price: £20,000 to £60,000 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@promote.consulting. Tell them what format you need. It will help if you say what assistive technology you use.