Corporate Financial Management Systems Limited (CFMS)

Vena – Planning, Budgeting and Forecasting Solution Integrated with Excel

Vena's CPM platform combines deep FP&A planning capabilities, AI-powered reporting and analytics, flexible workflows and robust data governance with the productivity, collaboration, and innovation of your Microsoft applications. Vena is natively integrated with Excel, M365 and Open AI technologies to empower Finance teams - complete planning platform with enterprise-level scalability.

Features

• Integrated software for business planning across the whole organisation
• Consolidated reporting in real time
• Workflow automation for key processes
• Full audit trail of user inputs
• Native integration with Excel
• Data source system agnostic with APIs, native connectors and ETL
• Ease of use, purpose-built for Finance without expensive third-party support
• Dashboard reporting with embedded Microsoft Power BI
• Visibility of financial and non-financial performance
• Integrates with ERP solutions

Benefits

• Reduce cost of ownership in medium term
• Increase user adoption and utilization with familiar native Excel interface
• Connect multiple data sources into a single source of truth
• Increase visibility over key financial reporting and planning processes
• Ensure data integrity and accurate reporting with real-time data refresh
• Significantly reduce lead times for key processes including monthly closedown
• Automate spreadsheet-based processes with full auditability and transparency
• Automate business-wide processes with Vena’s applicability across multiple use cases
• Lower your upfront investment and see value faster
• Secure financial data with advanced security features and role-based permissions

£21,000 a user a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@9dbbd8ba-ccbd-49bf-9d94-c7cab2f28014.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

499255227641717

Contact

<removed>
<removed>
<removed>@9dbbd8ba-ccbd-49bf-9d94-c7cab2f28014.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: N/A
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Maximum first response wait of 1 business day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Via the support pages on our website or via the help feature embedded into our application.
• Web chat accessibility testing: Not known.
• Onsite support: Yes, at extra cost
• Support levels: Standard Support Plan; Every customer has access to our Standard Support Plan for online and telephone support, including:; • 24/7 application monitoring; • Help desk phone and email support 24/5 Monday-Friday; • Unlimited case submissions; • Up to 3 Power Users to contact Vena support; • Maximum first response time of 1 business day; • Access to the Vena Customer Portal, online videos, FAQs, user guides, and a community help forum in our knowledge base; • A dedicated Customer Success Manager to help recommend products, services and processes to help you get the most out of Vena; ; Extended Support Plan; For after-hours support and accelerated response times, our ; Extended Support Plan combines all the services of our Standard Support Plan with:; • 24/5 Help Desk with on-call telephone support; • Maximum first response time of 2 hours for Severity A issues; Up to 20 Manager or Administrator users to contact Vena support.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training is provided as well as a range of consulting services to assist with implementation and data import etc.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Online learning portal with Video Tutorials
• End-of-contract data extraction: Customers can easily access their data by doing a mass or queried export within the Vena application. Vena supports .csv format for data export.
• End-of-contract process: Contracts are normally renewed on the contract anniversary. If a customer wishes to terminate the contract, then all customer data is permanently deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Same functionality. Note that Vena does not have a separate mobile application. Rather, Vena users can easily log onto the application via any mobile device through their mobile browser.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The Vena API is a REST API that allows users to; • Retrieve template information; • Upload files to steps; • Create jobs; • Edit jobs; • Run jobs; • Export Data
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Vena provides a fully configurable set of tools that does not require code customization. This includes data modelling, workflow management and template/report design, which leverages all the capabilities of a native Excel interface.; ; Customizations will not be impacted by product upgrades.; ; A sophisticated process designer that allows users to drag-and-drop their workflow process, including input steps, review steps, alerts and report access.; ; The ability for workflow messages to be customized, including autofill with specific data.; ; The ability to require managers to acknowledge receipt/review/approval of reports(s); ; User permissions pertaining to access and security are controlled by the administrator and can be customized as needed.; ; The database can be fully configured to support tables and fields as required. Templates and reports are authored in a native Excel interface and can be completely customized by the client.; ; Pre-formatted reports that can be leveraged as a starting point. Vena leverages a native Excel interface as the authoring environment, which allows clients to customize their reports as needed.; ; The ability to create and customize dynamic validation rules based on user inputs.; ; Data visualization tools to improve visibility into processes and conditions, as well as discerning trends and projections.

Scaling

• Independence of resources: As a multi-tenant SaaS platform, auto-scaling enables Vena to support unlimited concurrent users without performance degradation.

Analytics

• Service usage metrics: Yes
• Metrics types: Service status shared on public URL
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Vena Solutions

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: Vena encrypts all client data at rest using AES-256 bit encryption. Passwords are also securely stored through one-way hashed (bcrypt) with salt.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Vena is source system agnostic and supports a full spectrum of data integration capabilities to connect and load data from any source systems, including ERPs/GLs, HRISs, CRMs and more. Vena offers multiple methods of data integration to our customers, along with Extract-Transform-Load (ETL) functionality, depending on your source systems, available resources, and preferences: ; 1. Manual integration through the web user interface; 2. Automated/scheduled integration of data via flat file format, extracted from any source system; 3. Automated/scheduled integration via productized API connections (including Netsuite, Sage Intacct, SalesForce, Quickbooks Online, MS Dynamics 365); 4. Automated/scheduled integration via Vena’s open REST API
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: TDF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: All data in Vena is encrypted in transit using TLS 1.2 and at rest using AES 256-bit encryption, backed by the AWS Key Management System (KMS).

Availability and resilience

• Guaranteed availability: As per Vena’s Service Level Agreement:; ; Vena will use commercially reasonable efforts to maintain a monthly uptime percentage of at least 99.5%, available 24 hours a day, seven days a week, during each monthly cycle (the “Service Commitment”). Monthly uptime percentage is based on minutes the system is unavailable outside of planned maintenance windows in a calendar month and between the hours of 9:00 AM to 8:00 PM Eastern Time, Monday through Friday, excluding holidays. The Service is considered unavailable when it cannot be accessed by the Subscriber between 9:00 AM to 7:00 PM, Eastern Time, Monday through Friday, due to a service provider issue. If Vena fails to meet the Service Commitment, the Subscriber is eligible for a Service Credit as described below.; ; Service Credits are calculated as a percentage of the proportional monthly subscription value of the total subscription fees paid by the Subscriber for the unavailable Service, according to the schedule below:; • Service unavailable between 90-360 minutes: 10%; • Service unavailable for more than 360 minutes: 40%
• Approach to resilience: Available on request
• Outage reporting: A public dashboard can be subscribed to – status.vena.io

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Access is granted based on an employee's role based on principles of least privilege. Only the access that is required for the employee to perform their duties is granted. Only a limited group of Vena employees on the Infrastructure team have access to infrastructure/systems hosting customer data, for the purposes of troubleshooting systems issues and performing maintenance. All access is audited and controlled through access management controls, such as API logs, two-factor authentication and VPN access to the environment. All backend operations to access any data (including backups) is logged via AWS CloudTrail.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 14/06/2023
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 1
  • SOC 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Vena has successfully completed SOC 1 & SOC 2 Type II audits which were performed by Deloitte LLP. The examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA).
• Information security policies and processes: Vena employs a three lines of defense model to govern risk management. This model is widely used in the industry. Each of the three lines plays a distinct role within Vena’s control environment. ; ; The first line of defense lies with the business and process owners, like IT, Finance, HR and Vena’s Cloud Operations teams, which are responsible for maintaining effective controls and for executing agreed upon risk and control procedures on a day-to-day basis. ; ; The second line is performed by our Corporate Security department and overseen by a Security Risk & Compliance committee, which supports management to help ensure risk and controls are effectively managed. This line performs risk management and compliance functions to help build and/or monitor the first line-ofdefense controls. ; ; The third line of defense provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. Vena employs independent external auditors for our third line of defense. They are solely responsible for providing an independent opinion on the sufficiency of the internal controls with respect to the requirements specified within accepted industry standards such as SOC

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The change management process requires that existing security control mechanisms are not negatively impacted prior to approval – adherence to existing controls is reviewed through automated build testing and manual peer core reviews.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vena Cloud is a fully Infrastructure-as-code production environment deployed across several distributed AWS regions, providing us resiliency, reliability, recoverability and security. We routinely rotate in fresh AWS EC2 VMs on a weekly basis to pick up the latest, up-to-the-minute security releases and OS-level patches to ensure continuous compliance with critical OS-level vulnerabilities. All base images are scanned prior to deployment using automated vulnerability scans and any detected known vulnerabilities will halt the release. ; ; Additionally, Vena regularly performs external penetration tests by an independent third party on an annual basis.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Vena leverages Amazon Guard Duty, which is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs and DNS logs. Amazon Guard Duty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within our AWS environment. This can include issues like escalations of privileges, uses of exposed credentials or communication with malicious IP addresses or domains.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Vena’s incident response framework provides the foundational processes for incident detection, management and recovery. The framework also establishes roles and responsibilities during an incident, including escalation procedures, incident classification criteria and response procedures. The foundations of the incident response framework were designed to meet the requirements laid out in ISO-IEC 27001:2013; specifically, the control objectives specified in A.16.1 Management of Information Security Incidents and Improvements.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Wellbeing

  Fighting climate change

  Cloud Efficiency Vena's cloud-based model minimises the need for physical infrastructure, thereby reducing energy consumption and carbon footprint.

  Covid-19 recovery

  Robust forecasting and scenario planning features of Vena Solutions help businesses manage financial uncertainty and plan for recovery in the aftermath of the pandemic.

  Wellbeing

  Vena's user-friendly interface and efficient processes reduce stress and workload for financial teams, contributing to better workplace wellbeing.; ; Data Security: Vena’s strong security measures protect sensitive financial data and contribute to peace of mind for its users.

Pricing

• Price: £21,000 a user a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at <removed>@9dbbd8ba-ccbd-49bf-9d94-c7cab2f28014.com. Tell them what format you need. It will help if you say what assistive technology you use.