Skip to main content

Help us improve the Digital Marketplace - send your feedback


Omnibus-EPM Bus Network Management Systems

Our systems enable bus operators and Local Transport Authorities (LTA’s) to efficiently manage their bus networks, covering the full process from timetabling to TransXChange, BODS and roadside publicity. Our operational and contract management solutions ensure compliance with tenders and support franchised services, with data analytics providing insights to optimise operations.


  • Comprehensive route performance system
  • Manage contracts and monitor performance
  • In depth Electronic Ticket Machine analysis
  • Powerful data analysis and performance insights
  • Enhance timetable management and publicity materials
  • Visibility of multi-operator ticketing sales and usage data
  • Concessionary fare reimbursement
  • Improve punctuality and vehicle efficiency
  • Public transport schedules data exchange
  • Export TransXChange files to the latest BODS standards


  • Improve financial and operational performance
  • Collaborate seamlessly
  • Enhanced reporting
  • Model scenarios
  • Configurable to requirements
  • Data sharing across applications
  • Improved data accuracy
  • Improve customer service and grow patronage
  • Reduce duplication
  • Streamline processes


£12.00 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

6 0 6 2 6 5 8 5 5 8 2 6 9 8 0


EPM Josh Mellor
Telephone: +44 1527 556940

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
There are no known constraints that buyers should know about. Systems are configurable depending on user requirements and flexible in terms of modules chosen, and number of licences required.
System requirements
SaaS service works on any device running a supported browser.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Users will receive immediate acknowledgment of a ticket being logged. Calls are resolved within strict SLAs which are dependent on the impact and severity of the problem.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Tickets are assigned a priority (1: Critical to 5: Service Request) based on impact and severity.

Support and maintenance is charged annually, and based on the number of modules and licences held.

On-site support is available at additional cost and based on a day rate which can be found in the SFIA rate card.

Technical account management is provided as part of the overall service, along with a range of other subject experts, including cloud support where required.
Support available to third parties

Onboarding and offboarding

Getting started
After configuration workshops, training is provided to the end users. Dependent on client requirements and Operational needs, go-live support, whether onsite or remote, can be offered. A self service portal is available to users, as well as product webinars and user group sessions.
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Video
  • Pre-recorded webinars
End-of-contract data extraction
At the written direction of the Customer, we will delete or return the Customer’s Personal Data and copies thereof to Customer on termination or expiry of the agreement unless EPM is required to store the Customer’s Personal Data by law or if such personal data is retained only in backups which are inaccessible in normal use. Data is stored in industry standard formats, which will facilitate this process.
End-of-contract process
We will provide to the customer all reasonable assistance requested by the customer to facilitate the orderly transfer of all or part of the services back to the customer or to enable a Future Service Provider to take over the provision of all or part of the Services in respect of the agreement, until the end of the notice period.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Designed for use on mobile devices
Service interface
User support accessibility
None or don’t know
Customisation available
Description of customisation
Customisations can be implemented to meet specific requirements on a project by project basis. Requirements are agreed following a discovery workshop and delivered via a robust project methodology.


Independence of resources
All systems are optimised and monitored for performance along with most organisations running on dedicated infrastructure configured for their specific demands.


Service usage metrics
Metrics types
Regular reports are provided showing service usage metrics.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Functionality built into the software allows for the manual export of data, or automated reporting.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XLS
  • A01
  • Doc
  • HTML
  • XML
  • WB1
  • WK2
  • WMF
  • BMP
Data import formats
  • CSV
  • Other
Other data import formats
  • Ticket type
  • Scheduling package
  • Fuel file
  • Cash machine
  • Lost mileage
  • Configuration codes
  • Interface files
  • Third-party CRM systems

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We guarantee a 99% level of availability across our systems.
Approach to resilience
Our services run in "Five Nines" data centres operated by Microsoft, designed to be fault tolerant, with single points of failure removed.
Outage reporting
Service outage reporting is provided through internal and external monitoring tools that run 247 365.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels
The system uses Microsoft Azure Active Directory for user authentication.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials;
Cyber Essentials Plus;
EPM Bus Solutions are currently working towards ISO27001, with assistance from Cyberguard (our Cyber Security Consultants) with a target of achieving certification in September 2022.
Information security policies and processes
The Information Security policy is a key component of the company management framework. It sets out the requirements and responsibilities for maintaining the security of information within the business and incorporates the following security policies and processes:

Access Management, including; physical access, identity and passwords, user access, administrator-level access, application access, hardware access, system perimeter access (firewalls), monitoring system access and use.

Asset Management including; asset ownership, asset records and management, asset handling, removable media.

Computer & Network Management including; operations management, system change control, accreditation, software management, local data storage. external cloud services, protection from malicious software, vulnerability scanning.

Ultimate responsibility for information security rests with the company Board. Day-today the responsibility for maintaining the Information Security Policy and the business Information Risk Register and recommending appropriate risk management measures is held by the Software Director. The business information risk register is reviewed annually and fed into the overall information security plan. Information security reports are produced monthly and reported to the board.

Line Managers are responsible for ensuring that their staff are aware of: the information security policies applicable in their work areas; their personal responsibilities for information security; how to access advice on information security matters.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Company Information Security Policy states that: Administrator-level access shall only be provided to individuals with a business need who have been authorised by the Software Director. A list of individuals with administrator-level access shall be held by the Software Director and shall be reviewed every 6 months. Administrator-level accounts shall not be used for day-to-day activity. Such accounts shall only be used for specific tasks requiring administrator privileges.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Sentinel vulnerability testing tools are deployed to constantly detect and classify potential points of exploitation in network devices, computer systems, and applications. We also undertake an annual vulnerability scan of all external IP addresses carried out by a suitably qualified external company. The business then acts on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities. The results of the scan and any changes made are reflected in the company risk assessment and security policy as appropriate.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Personal data and special category data are identified in the Information Asset Register in accordance with the categories in the Information Security Policy. Any data categorised as 'red' is in locked cupboards (physical) or in a restricted area of the network / password protected where appropriate (data). Note all HR data is stored in an area of the network that is accessible by Directors only.
Incident management type
Supplier-defined controls
Incident management approach
All breaches of the Information Security Policy and all other information security incidents shall be reported to the Software Director. In the result of an incident, data will be isolated to facilitate forensic examination. This decision shall be made by a Director, who will assess if a data breach has occurred and if necessary, notify any clients affected. Information security incidents shall be recorded in the Security Incident Log and investigated by a Director to establish their cause and impact with a view to avoiding similar events. The risk assessment and policy will be updated if required.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Covid-19 recovery

Covid-19 recovery

We carried out and continued to maintain a thorough COVID-19 risk assessment to help protect staff and visitors to our office, including making investments to new equipment in the office and amendments to the office layout to promote and maintain social distancing.

Our risk assessment explicitly considered the mental health impact alongside the potential physical risk, and staff were supported to safely return to the office 2 days per week when government guidelines allowed it – with the option to come in as frequently as they wish.

During the Covid-19 pandemic we have grown our workforce, providing both the local community and those based nationally with opportunities within the high growth technology sector.

We also advocate the continual development of staff, providing them with regular internal training opportunities, along with a training allowance to further enhance their skillsets.

It is our intention that in the delivery of the contract, we can further expand our workforce and provide new opportunities for existing staff in the technology space.


We champion better work and working lives for our employees by supporting their physical health and safety as well as their mental health. All employees have access to an employee assistance programme (EAP), mental health first aiders and private health care.

Flexible working and hybrid working practices are not only encouraged but form part of our ethical standard that all employees balance their personal and professional priorities.

We ensure that our working practices and equipment are safe and that our working environment, management practices, work design and pay and reward practices support our employee's wellbeing towards good work.

By focusing on wellbeing at work, we aim to promote a healthier and more inclusive culture, better work-life balance, and better employee engagement.


£12.00 a unit a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.