EU Supply Limited

eAuction

eAuction enables the online set-up of auction events, compliant with Procurement legislation to drive better value against the pricing element within a tender process. Used as a standalone process or in conjunction with a pricing stage and previous weighted scores to give an overall ranking method, fully audited.

Features

• Online Setting of eAuction events with workflow
• Includes agreeing opening bids, non-price parameters, extension times etc
• Full audited process
• Allows for various event types including Multiple Lot auctions
• Functionality to ensure tight management of bidding parameters
• Selection and invitation of Suppliers to event
• Fully online both Buyer and Supplier
• Online Secure messaging including broadcasts
• Choice of weighting models available
• Integrates e-Tendering, e-Contract Management, DPS, Quick Quotes/RFQ, e-Evaluation, e-Vendor

Benefits

• High potential of significant and real cashable savings
• Drives better value in the best and final offer stages
• Real-time view of live activity and price reductions
• Real-time graph of live activity and end results
• End result reporting for internal and external use

£2,500 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.south@mercell.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

423134647315806

Contact

Richard South
07969 356042
richard.south@mercell.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: 1. Multiple files and folders can be uploaded as tender documents, however, each file should not be more than 2.14GB. 2. Maximum data space for the Authority is 10GB allowed in the basic price but additional space can be purchased if required.
• System requirements:
  • Internet access
  • Any commonly used browser, including up to 3 previous versions

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Email or ticketing support queries get an immediate ticket number and Severity Level 1 issues are normally responded to within the same business day. Please see enclosed SLA in our Service definition document.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support for both buyer and supplier users is included at no extra cost. A technical account manager is assigned for each client. Helpdesk is accessible via e-mail and phone.; Minimum guaranteed SLA is 99.5% during Working Hours and actual current performance is 99.8%
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Authority makes a request to join the system via contacting EU Supply (phone or via email) and completes a simple initialisation form with the Authority details and buyer details. ; Upon receipt of a Purchase Order, the Authority is set up in the system both on the live production site and a demo/training site. Standard procurement templates are loaded for the Authority. ; The secure log in is sent to the Administrator of the Authority. The Administrator of the Authority can access guidance and training material and create additional users as per the Purchase Order.; Authority can go live and start publishing tenders within one day of receipt of online form and the PO.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The archive module will allow the Authority to download all tender response data, including communication messages and audit trail as reports. In addition, we can create an encrypted 'zip' file for the Authority to download.
• End-of-contract process: Authority has to give written notice of termination and then the archive facility will be swithced on to allow the Authority to download the tender data. There is no additional cost for this.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile device requires a browser and internet access. For security reasons there is no APP to be downloaded. There is no difference between the mobile and desktop service apart from the screen being smaller on a mobile device. Some page layouts may not be optimal for small screen mobile devices. File upload may be a limitation on mobile devices.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: There are multiple service interfaces to different system e.g. RSS Feed, archiving systems, publishing systems (TED and Contract Finder), E-Signature providers and National Notification Platforms such as Doffin (Norway).
• Accessibility standards: None or don’t know
• Description of accessibility: Testing has been performed on the Doffin National Notification Portal for Norway. All system public pages have been tested. A formal accessibility statement is published on our platform in compliance with Accessibility Regulations 2020 which is a legal requirement by September 2020. EU-Supply is fully committed in making all public pages of the platform website fully accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2020.
• Accessibility testing: Testing has been performed on the Doffin National Notification Portal for Norway.
• API: Yes
• What users can and can't do using the API: The system allows the export of data using interfaces such as RSS Feed and Data Download Service API. The user can build their own reports and interrogations using this API.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Procurement Templates can be configured via the Administrator interface; Secure workspaces can be set up; OJEU templates and invitation letters can be configured; Online questionnaire template libraries can be set up; Document Libraries can be set up; Additional users can be set up and access rights (read only, editor etc.) can be set up by the Authority (subject to the Purchase Order licence requirements); A branded page can be set up; Url of the site will be in the format https://AuthorityName.eu-supply.com

Scaling

• Independence of resources: The current loading of the platform is closely monitored and is kept below 30% of the capacity to cater for rapid increase of service load. Additional servers can be added easily to increase the capacity if required. Application infrastructure supports web servers to be fully scalable. Additional web servers can be added on-demand.

Analytics

• Service usage metrics: Yes
• Metrics types: Depending on SLA, service usage metrics can be made available under monthly, quarterly, half-yearly, annual basis.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: A number of reports are available for the user to export their data, including tender responses, supplier communication messages, audit trails and evaluation reports. In addition, there are configurable reports the user can use as well as the Archive facility to export all tender responses.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Xls
  • Pdf
  • CSV
  • Doc
  • Xml
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats:
  • Xls
  • Txt
  • Docx

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Minimum SLA is 99.5% during Working Hours, but target and currently achieving 99.8% over the last few years.
• Approach to resilience: High Availability(HA) infrastructure designed to host CTM application with redundancy of resources at all levels.; • HA pair of Front firewalls for service boundary protection to accept the incoming HTTPS connections.; • A second tier of HA pair of firewalls exists between the web servers and the backend databases.; • Web servers are clustered to provide redundancy and scalability.; • Database mirroring technology is used to maintain Primary-Secondary database instances as hot standby server with automatic rapid failover support; • All file storages are replicated to a secondary location; • Backups are taken into disaster recovery location using secured connection through IPSec tunnel
• Outage reporting: Public dashboard and email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to management interfaces are protected by Secure VPN access and 2-factor authentication.; Role-based access controls for information systems are established to incorporate only “need to provide” legitimate limited access to meet business needs.; Access to the resources on the EU-Supply network, computing, information systems and peripherals is strictly controlled to prevent unauthorised access. ; administration access within the EU-Supply infrastructure is restricted to those persons who are qualified and authorised to perform systems administration / management functions. Even then, such access are performed under dual control requiring the specific and documented approval of Change Requests.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Carlstedt Inc
• ISO/IEC 27001 accreditation date: 10/09/2019
• What the ISO/IEC 27001 doesn’t cover: EU SUPPLY LTD GROUP; ; INCLUDING; ; EUS HOLDINGS LTD & EU-SUPPLY HOLDING AB; ; Carlstedt Inc, a licensed partner of PECB Nordics, herby affirms that the above organisation operates an ; INFORMATION SECURITY MANAGEMENT SYSTEM; that conforms to the requirements of ISOIEC 27001/2013.; ; The scope and boundaries of the ISMS which meets the criteria of the ISO/IEC 27001:2013 specification of a ISMS covers the management of Information Security aspects in the following areas: All Business Processes, including the following in-scope location(-s): All Locations of above organisations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO 9001:2015
  • ISO 20000-1:2011
  • ISO 14001:2015

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Confidentiality of information is guaranteed as part of our integrated information management system. This has been implemented and refined since 2009 to safe guard EU-Supply IPRs, security of its information and services, quality of its services and projects, and this integrated management system has been certified ISO 27001:2013, ISO 9001:2015, ISO 20000-1:2011 and ISO 14001:2015 for all business processes across the group, with certifications all performed by PECB accredited certification body. All access to the system delivered as Software as a Service is via secure user authentication. Only users with access to documents and workspaces can view, edit or download information and manage workflow. There is logical separation between workspaces and user profiles.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Configuration and change management process described in EU-Supply’s Information Security Management System(ISMS) which is ISO/IEC 27001 certified:; • All changes in are subject to Change control process and are to be tested prior to deployment; • All changes need to be analysed for risk of applying/not-applying change; • All changes needs a formal Change request form to be filled in by the requestor which includes time-plan, detailed steps, responsible, rollback plan etc for any change and sent to ISF (Information security forum) for approval; • Upon approval of ISF, changes are applied; • ISF maintains changes in the Change Record
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: It is the policy of EU-Supply to ensure that vendor supplied security patches of Software/OS/3rd party components in use are applied in a timely manner.; Patches are subject to Change Control Process and are to be tested before deployment.; Patches are obtained from the relevant support provider.; Identified critical security patches are installed as soon as practicable.; A variety of sources of critical patch information are to be used. Examples include Vendor websites, vulnerability websites, vulnerability scans carried out by the systems security team and directly from the Support provider support team.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: A number of monitoring control features are in use, including "internal" (through System Center Operations Administrator SCOM) as well as "external", such as Site scanner service to monitor external access of websites.; There are other logging features also enabled such as IIS logs, firewall logs, URL traces, error logs etc. EU-Supply operations team monitors such alerts and logs proactively to identify potential problems and find remedy. ; If a potential compromise is discovered then it is dealt according to severity classification as laid in Incidence response procedure in Eu-Supply Information Security Management System(ISMS) which is ISO/IEC 27001 certified.
• Incident management type: Supplier-defined controls
• Incident management approach: EU-Supply process is detailed in Incident Response Plan according Information Security Management System(ISMS) which is ISO/IEC 27001 certified. Aspects:; • Incident management roles and responsibilities.; • Communications strategies and mechanisms for escalation, including contact details.; • The conditions under which third parties are contacted. ; • How incidents are to be categorised and prioritised.; • Reporting requirements.; • Process flow from incident notification to final closure.; • How to respond to different incident types. ; • Strategy for business continuity post compromise.; • Analysis of legal requirements for reporting compromises & Procedure for personal data protection breach and registration of breach (GDPR)

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Equal opportunity:

  Equal opportunity

  As a part of its commitment to sustainable growth, Mercell decided in 2020 to sign the UN Global Compact and its ten principles on human rights, labour, environment, and anti-corruption. Mercell works to ensure that all employees and anyone acting on behalf of the company perform their activities in an ethical and socially responsible way, and in accordance with the company’s values of Growth, Curiosity, Courage and Trust. These principles are embedded in the company’s Code of Conduct.; ; The parent company Mercell Group raised more than £40m GBP on the Norwegian stock market to become the leading eProcurement provider in Europe. As part of this strategic growth plan, the UK business has been targeted for investment.; ; Headquartered in Oslo, Norway, the company has activities across 28 locations in 13 countries. At the end of 2020, the Group had 456 employees, including near-shore contractors. This was an increase from 199 FTEs at the end of 2019. Organic growth accounted for 30% of the increase and acquisitions for 70%.; ; The employees count 20 different nationalities. The company works to support the objectives of the Gender equality and Discrimination Act to promote equal opportunity and rights. The company is committed to an inclusive work culture, based on diversity, equal employment opportunity and fair treatment of all employees.; ; The company strives to reflect the diversity in the society and among its customers, and maintain a balance in age, gender, and cultural background among its employees. Women made up 42% and men 58% of the workforce at the end of 2020, with the share of women increasing during the year. 65 employees are defined as managers, with personnel responsibilities, of which 36% are women and 64% men. ; ; Approximately 34% of the staff is below 35 years, 44% between 36-55, and 11% above 55 years.
• Wellbeing:

  Wellbeing

  Mercell shall be an attractive place to work, and the company has committed to taking action to create and maintain a good and inclusive working environment. The working environment is considered good. The company does not accept any form of harassment or discrimination based on race, colour, religion, gender, sexual orientation, national origin, age, or disability. No cases of harassment were reported or investigated in 2020. Total sick leave for the Norwegian operation was 2.95% in 2020. No occupational illnesses or injuries were reported or investigated in 2020.; ; Every Mercell company and every contractor is required to have a systematic approach to the management of Health, Safety, Security and Environment (HSSE), designed to ensure compliance with law an applicable standard, the wellbeing of its personnel and the protection of the environment.; ; Mercell has operated in compliance with national and regional rules and recommendations with regards to the Covid-19 pandemic. The company has strived to facilitate efficient and healthy home office solutions for the employees and fulfil its responsibilities with regards to social and professional follow-up.; ; To achieve the above, Mercell employees have a performance review every 6 months and a personal development plan is defined together with the help of the employee’s manager.; ; The Mercell UK team is looking into the following options to further contribute to the health and wellbeing of its employees’, suppliers and local communities:; • Set aside a number of hours annually that employees can use to volunteer and support local community projects of their choice; • Regional sponsorship / charitable support to local communities; • Looking at linking in with groups such as Go4Growth or the Federation of Small Businesses.

Pricing

• Price: £2,500 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Free version available for 3 months with full functionality. Setup and implementation costs are chargeable.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.south@mercell.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.