EU Supply Limited


eAuction enables the online set-up of auction events, compliant with Procurement legislation to drive better value against the pricing element within a tender process. Used as a standalone process or in conjunction with a pricing stage and previous weighted scores to give an overall ranking method, fully audited.


  • Online Setting of eAuction events with workflow
  • Includes agreeing opening bids, non-price parameters, extension times etc
  • Full audited process
  • Allows for various event types including Multiple Lot auctions
  • Functionality to ensure tight management of bidding parameters
  • Selection and invitation of Suppliers to event
  • Fully online both Buyer and Supplier
  • Online Secure messaging including broadcasts
  • Choice of weighting models available
  • Integrates e-Tendering, e-Contract Management, DPS, Quick Quotes/RFQ, e-Evaluation, e-Vendor


  • High potential of significant and real cashable savings
  • Drives better value in the best and final offer stages
  • Real-time view of live activity and price reductions
  • Real-time graph of live activity and end results
  • End result reporting for internal and external use


£2,500 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

4 2 3 1 3 4 6 4 7 3 1 5 8 0 6


EU Supply Limited Richard South
Telephone: 07969 356042

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
1. Multiple files and folders can be uploaded as tender documents, however, each file should not be more than 2.14GB. 2. Maximum data space for the Authority is 10GB allowed in the basic price but additional space can be purchased if required.
System requirements
  • Internet access
  • Any commonly used browser, including up to 3 previous versions

User support

Email or online ticketing support
Email or online ticketing
Support response times
Email or ticketing support queries get an immediate ticket number and Severity Level 1 issues are normally responded to within the same business day. Please see enclosed SLA in our Service definition document.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support for both buyer and supplier users is included at no extra cost. A technical account manager is assigned for each client. Helpdesk is accessible via e-mail and phone.
Minimum guaranteed SLA is 99.5% during Working Hours and actual current performance is 99.8%
Support available to third parties

Onboarding and offboarding

Getting started
Authority makes a request to join the system via contacting EU Supply (phone or via email) and completes a simple initialisation form with the Authority details and buyer details.
Upon receipt of a Purchase Order, the Authority is set up in the system both on the live production site and a demo/training site. Standard procurement templates are loaded for the Authority.
The secure log in is sent to the Administrator of the Authority. The Administrator of the Authority can access guidance and training material and create additional users as per the Purchase Order.
Authority can go live and start publishing tenders within one day of receipt of online form and the PO.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The archive module will allow the Authority to download all tender response data, including communication messages and audit trail as reports. In addition, we can create an encrypted 'zip' file for the Authority to download.
End-of-contract process
Authority has to give written notice of termination and then the archive facility will be swithced on to allow the Authority to download the tender data. There is no additional cost for this.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Mobile device requires a browser and internet access. For security reasons there is no APP to be downloaded. There is no difference between the mobile and desktop service apart from the screen being smaller on a mobile device. Some page layouts may not be optimal for small screen mobile devices. File upload may be a limitation on mobile devices.
Service interface
User support accessibility
None or don’t know
Description of service interface
There are multiple service interfaces to different system e.g. RSS Feed, archiving systems, publishing systems (TED and Contract Finder), E-Signature providers and National Notification Platforms such as Doffin (Norway).
Accessibility standards
None or don’t know
Description of accessibility
Testing has been performed on the Doffin National Notification Portal for Norway. All system public pages have been tested. A formal accessibility statement is published on our platform in compliance with Accessibility Regulations 2020 which is a legal requirement by September 2020. EU-Supply is fully committed in making all public pages of the platform website fully accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2020.
Accessibility testing
Testing has been performed on the Doffin National Notification Portal for Norway.
What users can and can't do using the API
The system allows the export of data using interfaces such as RSS Feed and Data Download Service API. The user can build their own reports and interrogations using this API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Procurement Templates can be configured via the Administrator interface; Secure workspaces can be set up; OJEU templates and invitation letters can be configured; Online questionnaire template libraries can be set up; Document Libraries can be set up; Additional users can be set up and access rights (read only, editor etc.) can be set up by the Authority (subject to the Purchase Order licence requirements); A branded page can be set up; Url of the site will be in the format;


Independence of resources
The current loading of the platform is closely monitored and is kept below 30% of the capacity to cater for rapid increase of service load. Additional servers can be added easily to increase the capacity if required. Application infrastructure supports web servers to be fully scalable. Additional web servers can be added on-demand.


Service usage metrics
Metrics types
Depending on SLA, service usage metrics can be made available under monthly, quarterly, half-yearly, annual basis.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
A number of reports are available for the user to export their data, including tender responses, supplier communication messages, audit trails and evaluation reports. In addition, there are configurable reports the user can use as well as the Archive facility to export all tender responses.
Data export formats
  • CSV
  • Other
Other data export formats
  • Xls
  • Pdf
  • CSV
  • Doc
  • Xml
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Xls
  • Txt
  • Docx

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Minimum SLA is 99.5% during Working Hours, but target and currently achieving 99.8% over the last few years.
Approach to resilience
High Availability(HA) infrastructure designed to host CTM application with redundancy of resources at all levels.
• HA pair of Front firewalls for service boundary protection to accept the incoming HTTPS connections.
• A second tier of HA pair of firewalls exists between the web servers and the backend databases.
• Web servers are clustered to provide redundancy and scalability.
• Database mirroring technology is used to maintain Primary-Secondary database instances as hot standby server with automatic rapid failover support
• All file storages are replicated to a secondary location
• Backups are taken into disaster recovery location using secured connection through IPSec tunnel
Outage reporting
Public dashboard and email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces are protected by Secure VPN access and 2-factor authentication.
Role-based access controls for information systems are established to incorporate only “need to provide” legitimate limited access to meet business needs.
Access to the resources on the EU-Supply network, computing, information systems and peripherals is strictly controlled to prevent unauthorised access.
administration access within the EU-Supply infrastructure is restricted to those persons who are qualified and authorised to perform systems administration / management functions. Even then, such access are performed under dual control requiring the specific and documented approval of Change Requests.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Carlstedt Inc
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover



Carlstedt Inc, a licensed partner of PECB Nordics, herby affirms that the above organisation operates an
that conforms to the requirements of ISOIEC 27001/2013.

The scope and boundaries of the ISMS which meets the criteria of the ISO/IEC 27001:2013 specification of a ISMS covers the management of Information Security aspects in the following areas: All Business Processes, including the following in-scope location(-s): All Locations of above organisations.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
  • ISO 9001:2015
  • ISO 20000-1:2011
  • ISO 14001:2015

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Confidentiality of information is guaranteed as part of our integrated information management system. This has been implemented and refined since 2009 to safe guard EU-Supply IPRs, security of its information and services, quality of its services and projects, and this integrated management system has been certified ISO 27001:2013, ISO 9001:2015, ISO 20000-1:2011 and ISO 14001:2015 for all business processes across the group, with certifications all performed by PECB accredited certification body. All access to the system delivered as Software as a Service is via secure user authentication. Only users with access to documents and workspaces can view, edit or download information and manage workflow. There is logical separation between workspaces and user profiles.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration and change management process described in EU-Supply’s Information Security Management System(ISMS) which is ISO/IEC 27001 certified:
• All changes in are subject to Change control process and are to be tested prior to deployment
• All changes need to be analysed for risk of applying/not-applying change
• All changes needs a formal Change request form to be filled in by the requestor which includes time-plan, detailed steps, responsible, rollback plan etc for any change and sent to ISF (Information security forum) for approval
• Upon approval of ISF, changes are applied
• ISF maintains changes in the Change Record
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
It is the policy of EU-Supply to ensure that vendor supplied security patches of Software/OS/3rd party components in use are applied in a timely manner.
Patches are subject to Change Control Process and are to be tested before deployment.
Patches are obtained from the relevant support provider.
Identified critical security patches are installed as soon as practicable.
A variety of sources of critical patch information are to be used. Examples include Vendor websites, vulnerability websites, vulnerability scans carried out by the systems security team and directly from the Support provider support team.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A number of monitoring control features are in use, including "internal" (through System Center Operations Administrator SCOM) as well as "external", such as Site scanner service to monitor external access of websites.
There are other logging features also enabled such as IIS logs, firewall logs, URL traces, error logs etc. EU-Supply operations team monitors such alerts and logs proactively to identify potential problems and find remedy.
If a potential compromise is discovered then it is dealt according to severity classification as laid in Incidence response procedure in Eu-Supply Information Security Management System(ISMS) which is ISO/IEC 27001 certified.
Incident management type
Supplier-defined controls
Incident management approach
EU-Supply process is detailed in Incident Response Plan according Information Security Management System(ISMS) which is ISO/IEC 27001 certified. Aspects:
• Incident management roles and responsibilities.
• Communications strategies and mechanisms for escalation, including contact details.
• The conditions under which third parties are contacted.
• How incidents are to be categorised and prioritised.
• Reporting requirements.
• Process flow from incident notification to final closure.
• How to respond to different incident types.
• Strategy for business continuity post compromise.
• Analysis of legal requirements for reporting compromises & Procedure for personal data protection breach and registration of breach (GDPR)

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Equal opportunity

Equal opportunity

As a part of its commitment to sustainable growth, Mercell decided in 2020 to sign the UN Global Compact and its ten principles on human rights, labour, environment, and anti-corruption. Mercell works to ensure that all employees and anyone acting on behalf of the company perform their activities in an ethical and socially responsible way, and in accordance with the company’s values of Growth, Curiosity, Courage and Trust. These principles are embedded in the company’s Code of Conduct.

The parent company Mercell Group raised more than £40m GBP on the Norwegian stock market to become the leading eProcurement provider in Europe. As part of this strategic growth plan, the UK business has been targeted for investment.

Headquartered in Oslo, Norway, the company has activities across 28 locations in 13 countries. At the end of 2020, the Group had 456 employees, including near-shore contractors. This was an increase from 199 FTEs at the end of 2019. Organic growth accounted for 30% of the increase and acquisitions for 70%.

The employees count 20 different nationalities. The company works to support the objectives of the Gender equality and Discrimination Act to promote equal opportunity and rights. The company is committed to an inclusive work culture, based on diversity, equal employment opportunity and fair treatment of all employees.

The company strives to reflect the diversity in the society and among its customers, and maintain a balance in age, gender, and cultural background among its employees. Women made up 42% and men 58% of the workforce at the end of 2020, with the share of women increasing during the year. 65 employees are defined as managers, with personnel responsibilities, of which 36% are women and 64% men.

Approximately 34% of the staff is below 35 years, 44% between 36-55, and 11% above 55 years.


Mercell shall be an attractive place to work, and the company has committed to taking action to create and maintain a good and inclusive working environment. The working environment is considered good. The company does not accept any form of harassment or discrimination based on race, colour, religion, gender, sexual orientation, national origin, age, or disability. No cases of harassment were reported or investigated in 2020. Total sick leave for the Norwegian operation was 2.95% in 2020. No occupational illnesses or injuries were reported or investigated in 2020.

Every Mercell company and every contractor is required to have a systematic approach to the management of Health, Safety, Security and Environment (HSSE), designed to ensure compliance with law an applicable standard, the wellbeing of its personnel and the protection of the environment.

Mercell has operated in compliance with national and regional rules and recommendations with regards to the Covid-19 pandemic. The company has strived to facilitate efficient and healthy home office solutions for the employees and fulfil its responsibilities with regards to social and professional follow-up.

To achieve the above, Mercell employees have a performance review every 6 months and a personal development plan is defined together with the help of the employee’s manager.

The Mercell UK team is looking into the following options to further contribute to the health and wellbeing of its employees’, suppliers and local communities:
• Set aside a number of hours annually that employees can use to volunteer and support local community projects of their choice
• Regional sponsorship / charitable support to local communities
• Looking at linking in with groups such as Go4Growth or the Federation of Small Businesses.


£2,500 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Free version available for 3 months with full functionality. Setup and implementation costs are chargeable.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.