Medius Procurement & AP Automation
Medius Procurement and AP Automation functionality (catalogues, requisitions, purchase orders, invoices) brings automation to the purchasing process increasing on-contract spend, reducing manual processes and delivering rapid return on investment. It allows users to buy the right products from the right supplier at the right price in a secure, online environment.
Features
- Highly intuitive user interface
- Seamless integration with ERP and other back-office systems
- Comprehensive search and catalogue functionality including approved punch-outs
- Highly configurable workflows and business model set up
- Strong approval controls and triggers including remote approvals management
- Free supplier portal with self-service supplier onboarding and maintenance
- Customisable dashboards that allow users to view spend data
- Continual product development and regular updates
- Unlimited customisable report creation, scheduling and publishing
- Securely hosted, managed and maintained on a client's behalf
Benefits
- Quick user adoption with minimal training delivers rapid ROI
- Removes manual processes and gains significant resource/time savings
- Cost savings gained with approved, on-contract spend
- Supports supplier onboarding initiatives and improves communication
- Enhances the content of supplier and catalogue information stored
- Cuts administration overheads with fewer invoice queries
- Gains complete spend control and visibility
- Auditable environment provides complete process transparency
- Delivery guidance from an experienced support services team
- Scalable solution with no IT hardware overheads.
Pricing
£34,770 a licence
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
6 2 2 3 7 5 3 8 6 5 7 3 8 1 9
Contact
Medius Software Ltd
Aaron Asvadi
Telephone: 0161 367 8375
Email: Aaron.Asvadi@medius.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
-
Medius Procurement and AP Automation are part of Medius' integrated Spend Management platform.
The intuitive software is deployed via the cloud in modules or as an entire source-to-pay suite. The platform is developed in-house on a single code base, which ensures Medius delivers a consistency of user experience. - Cloud deployment model
- Public cloud
- Service constraints
- There are no constraints that buyers should be aware of.
- System requirements
-
- Adequate internet connection
- Stable/sufficient bandwidth
- Straight reliable connection to the internet (no proxies etc.)
- Access to recommended internet browsers
- Avoid running the application on Citrix or desktop virtualisation platform
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Medius endeavours to respond to and resolve any issues/questions within the target response times as defined within the standard agreement (terms and conditions) and order forms. The response times to an issue varies depending on the severity and assigned priority level of the issue.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
- Medius uses state-of-the-art management processes to log, track and resolve issues, delivering the highest possible levels of accountability, traceability, and visibility. Clients have access to an online support helpdesk tool, which provides the tools to view current service levels; submit new requests; receive updates on existing requests; and review the entire support history. The helpdesk has full issue resolution, audit and escalation workflow functionality to allow issues to be reported and managed. This facility is available 24 hours a day, assisting Medius to resolve issues in a timely manner, no matter when or where they occur. A manned Technical Helpdesk & Support service is available during normal business hours Monday to Friday (excluding public holidays). Support charges are included within the annual subscription fee unless an incident is caused by the client or is classified as service request or change request. Clients also have a dedicated Account Manager, who they meet regularly to review the on-going service delivery, and if any issues are raised these are noted, resolved or escalated at the weekly management meeting. The Account Manager takes an active role in supervising the delivery programmes and is key point of escalation for any issues during and after implementation.
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
-
During implementation, Medius will operate training packages to transfer skills to the key gateway users; allowing users to manage the user interface, workflows, forms, and screens. Training course duration, location, and attendee numbers vary per user requirements and will be confirmed during the initiation phase of the implementation process.
As standard, Medius operates a ‘train the trainer’ program that enables super users to be trained on the software application in order that they can disseminate this knowledge, along with accompanying supplied collateral, throughout the organisation. These are typically conducted remotely and divided into 3–4-hour sessions at a time. The estimated time also allows for follow-up training sessions on select topics.
Following final delivery, a period of hypercare is provided before day-to-day support is enabled via Medius Customer Support. Medius also provides an online training documentation for administration and use of the application. Guides take the form of a graphical walk-through of the screens involved in the business process from a user, administrator and operator perspective, with a step-by-step narrative are also shared to give the most intuitive training and reference resource possible. These are available at all times via the Medius Success Portal: https://success.medius.com/ - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Webpages
- End-of-contract data extraction
- Upon the expiration or termination of Master Cloud Subscription Agreement, the customer shall retrieve its Data in a commercially reasonable timeframe. If the customer requests Medius’ assistance, Medius shall charge the customer its standard time and materials rates for such work. Medius agrees to store Customer Data one (1) month after an Agreement’s expiration or termination or until any requested transfer of data has been performed, after which the data will be deleted no later than ninety (90) days thereafter unless another retention period is agreed. Notwithstanding the foregoing, Customer Data in back-ups may be retained in accordance with Medius’s standard back-up routines for up to two years following termination of this Agreement, provided such back-ups are maintained in a secure manner.
- End-of-contract process
-
If a client decides not to renew the contract, Medius will initiate an Exit Plan. This ensures an orderly migration of data and services to the client or, at the client’s request, a replacement supplier.
If required, Medius can provide an export of data from the application in an agreed format at the client's cost. On satisfactory completion of the Exit Plan, Medius shall confirm that all data and materials belonging to the client have been delivered and deleted from all systems.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
Medius' responsive web design and support for HTML 5.0 standards allows it to be used in the same consistent manner on any HTML-compliant browser irrespective of the device: PC’s, laptops, tablets and mobile devices. No app is required to download and manage.
The mobile-friendly interface allows users to access, authorize, and comment on documents. The following types of documents are currently supported as standard:- expense (non-PO) invoices
- order-based invoices
- recurring invoices
- purchase requisitions - Service interface
- Yes
- User support accessibility
- None or don’t know
- Description of service interface
- A user-friendly interface is common across the application with a standard 'look and feel' that can be navigated using a series of quick links or drilldown menus. A .NET GUI generator ensures that the user interface is dynamic, with every button and graphic generated on the fly to offer a personalised experience to each user. Where possible, information is pre-populated, defined by the individual user login, to minimise the burden of data entry and reduce any opportunities for error. Additionally, the interface is continually enhanced- Medius employs specialist UX consultants and a dedicated design team to drive independent best practices.
- Accessibility standards
- None or don’t know
- Description of accessibility
-
Medius is designed to be highly flexible with easy-to-use functions that are accessible for all users from a variety of backgrounds. The intuitive user interface renders complex processes simple, thereby allowing thousands of users to engage with the system. The system is already in use within the public sector and can be configured to comply with specific requirements.
Medius aims to conform to the W3C and Level AA standard. Where the highest standards of accessibility cannot be met for any reason, Medius will provide the information in an accessible format on request. - Accessibility testing
- If required, Medius would be willing to assess the ability to integrate its application with assistive technologies.
- API
- Yes
- What users can and can't do using the API
-
Seamless integration with other systems can be delivered via pre-packaged ERP connectors for ERPs (such as SAP, Microsoft Dynamics, Infor M3, Iptor), File Exchange APIs, and/or a REST Web API. These facilitate connectivity and the smooth synchronization of data, including GL accounts, payment terms, POs and tax codes. For example, the REST API is authorised with OAuth2, which makes it flexible and easy to use from any platform. This supports the exchange of data between the two systems in XML and JSON formats.
For further information on the Medius connectors and APIs, please see:
https://success.medius.com/documentation/cts-documentation/
https://success.medius.com/documentation/integration-documentation/ - API documentation
- Yes
- API documentation formats
- Other
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Medius understands that each organisation has its own unique requirements and as such, has designed its modules to be flexible and adaptable to all current/future business objectives and cases. Most of the objects and options in the application can be created, removed or changed and generally configured in the administration pages of the application. Users simply click ‘Administration’ in the application’s navigation bar to search through the pages and find the appropriate setting/control.
Please note that the list of available administration pages that are displayed as well as configuration options, depend on the user’s access rights and permissions.
A high level of personalisation for key areas is also available including dashboards, forms, favourites, new supplier and users etc. with users able to customise their display settings. Customisable dashboards deliver real-time windows on all key system and user activities, whilst powerful reporting facilities provide tailored management information to drive better business decisions. Users are able to delve into the system data at a granular level and create, save and share any number of personalised reports that can be exported.
Scaling
- Independence of resources
-
Client systems are segregated by single application and database instances. These are managed, backed up and configured as if they were isolated on a stand-alone environment.
Medius is also built for Microsoft Azure to take advantage of the security, scalability and business continuity it offers. The Medius Cloud Operations team monitors the SaaS solution continually and proactively manages capacity and scalability to ensure availability and performance. Where additional capacity is required, the necessary work is scheduled for completion and Azure is scaled to the new requirements by the Cloud Operations team.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Medius supports service metrics through in-built analytics and reporting. Dashboards can be used to monitor system usage including active users, value of spend associated with each account, and spend by supplier etc.
Nominated client users also have access to a class-leading Customer Support Portal and Helpdesk, which is used to:
- Submit new Support Events
- Update open Tickets
- Check the status of any Ticket and export a list of tickets if needed
Utilizing this resource, clients can communicate with Medius, and see every ticket recorded, what steps have been taken, and how Medius are performing against established SLAs. - Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Physical access control, complying with another standard
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Through in-built search and reporting capabilities, data can be extracted from the database into a dataset where it can be saved and exported in a standard format (e.g. CSV, XML and/or pdf file) for delivery to the user.
- Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
-
- XML derivatives
- Data import formats
-
- CSV
- ODF
- Other
- Other data import formats
-
- XML derivatives
- EDI
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
In accordance with the Master Cloud Subscription and Services Agreement, Medius shall provide the Cloud Service of the production environment with an availability of 99% or higher as measured per calendar month.
Service credits are available if Medius fails to meet 99% availability. The Service Credit shall be equal to two (2) percent of the total Cloud Service subscription fee for the affected quarter for each percentage below 99%. The maximum amount of a Service Credit per calendar quarter shall be twenty (20) percent of such fee. - Approach to resilience
- Available on request.
- Outage reporting
-
Scheduled maintenance for the purposes of releasing updates of new functionality shall be communicated by Medius at least 7 days in advance via the online helpdesk. Scheduled maintenance for the purposes of securing business continuity (for example virus protection, security updates or third party release service packs) may however be communicated by Medius with less than 7 days’ notice, if it is reasonably expected to be in the interest of Cloud Service users in general.
Medius may in its sole discretion take the Cloud Service down for unscheduled maintenance in which case it will strive to notify its clients in advance. Such unscheduled maintenance will be counted as Downtime. However, the exact length of time will be subject to the specific circumstance and the issue that needs to be resolved.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
- Access restrictions in management interfaces and support channels
-
Medius deploys access control mechanisms to protect critical and sensitive information including authorisation, segregation of privileges and passwords. The IT Support and Cloud Operations departments are responsible for ensuring that both logical and physical access to sensitive information and systems are controlled, and procedures are in place to ensure their protection.
Access control rules and rights to applications, expressed in standard user profiles, for each user and/or group of users are clearly stated, together with the business requirements in a Default Access Matrix. All access granted, modified and terminated is recorded. - Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google Apps)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Nqa
- ISO/IEC 27001 accreditation date
- 16/09/2020
- What the ISO/IEC 27001 doesn’t cover
- Certification only covers UK operations. Medius Software's Information Security System is certified for the design, development and provision of spend management software and services.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
-
- SOC1 Type 2 (ISAE 3402, SSAE 21)
- SOC 2 Type 2 (ISAE 3000)
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
- SOC1 Type 2 (ISAE 3402, SSAE 21) and SOC 2 Type 2 (ISAE 3000)
- Information security policies and processes
-
Medius operates an Information Security Management System that is based on ISO 27001 standards and applies to all employees and sub-contractors in all Medius Group companies and countries working with Medius. The scope includes all information assets that belong to Medius or are managed by Medius (e.g. customer information in the Medius Cloud solution). In the UK, this is certified the ISO27001:2013 standard.
This includes a set of Information Security-related policies that have been approved by the CEO and the executive management team that everyone in the company is obligated to follow. This policies describe Medius ambition, goal, organization and responsibility in the information security area as well as important rules and guidelines for how Medius employees and partners are allowed to access and use information assets, customer data, systems, devices etc.
Medius also performs regular SOC 1 Type 2 (ISAE 3402, SSAE 21) and SOC 2 Type 2 (ISAE 300) audits receiving reports for its existing customers to use in an auditing purpose. The reports are issued by Ernst & Young and copies can be provided upon formal request.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
In accordance with a Change Control Procedure, all significant, non-routine changes to the organization, business processes, information processing facilities and systems are controlled by the online helpdesk and escalated to the appropriate personnel.
A risk assessment may be undertaken at the discretion to identify potential risks, impacts and controls in line with the risk management framework. Where required by risk assessment, fallback procedures or a roll-back strategy may be prepared.
All changes are tested thoroughly and applied to a User Acceptance Testing environment for sign off and approval. The changes are then be rolled to the live platform. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Medius has robust mechanisms in place for vulnerability and patch management. All application, system and network device vulnerabilities are assessed, and all security patches are applied in a timely manner following a risk-based approach to prioritise the critical patches. For example, Medius follows Microsoft Azure routines regarding patches and anti-malware, please see the following for detailed information: https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware
Security patch management is an integral part of operations in order to help protect systems from known vulnerabilities. The Azure platform utilizes integrated deployment systems to manage the distribution and installation of security patches for Microsoft software. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
System technical vulnerabilities that may impact availability and performance are scanned daily using hardware firewalls and anti-malware. These monitor all network and IT equipment (including servers), providing security scanning, performance, and capacity management. SSL/TLS assessments are also completed weekly.
Azure security is also monitored with the aid of centralised monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
Alerts are triggered by set criteria and are responded to with the appropriate actions taken to rectify any problems. - Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Security incidents are notified, reported and remedied following Medius' Incident Response and Management Procedures. The helpdesk records all security incidents immediately upon receipt, allocating to each a unique reference and uses these records to ensure that all such reports are analysed and closed out.
Actions are then invoked as set out in the standing work instructions plus additional activity that are considered necessary to contain and recover from the incident, and implement contingency plans. Customers then receive confirmation that the affected business systems have been restored and that the required controls are operational to enable a return to normal working.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
As a SaaS provider with the majority of services deployed and supported remotely, Medius has minimal environmental impacts. To ensure that it operates in the most sustainable manner, Medius has a documented Environmental Policy that outlines the company's environmental commitments in every aspect of its operations. This is a continual and ongoing process, and the aim is to adopt a long-term, preventive approach using sustainable solutions in order to constantly improve on the company's environmental performance.
With the ultimate goal of contributing towards an ecologically sustainable society, Medius:
- Increases knowledge and raises awareness of environmental issues within the company.
- Follows the relevant environmental legislation and environmental regulations.
- Prioritises products that are safe, energy-efficient, and environmentally friendly in terms of future recycling and safe disposal.
- Prioritises environmentally labelled and recyclable products when making purchases for internal use. Sorts all waste and is aware of environmental considerations in relation to the maintenance of its properties.
- Partners with Veritree to plant a tree for every piece of content downloaded from its website.
- Provides ‘Cycle to Work’ and ‘Electric Vehicles’ salary sacrifice
Additionally, the solution is hosted by Microsoft Azure, which has been carbon neutral since 2012 and has a range of sustainability practices in place. For further information, please see: https://azure.microsoft.com/en-gb/explore/global-infrastructure/sustainabilityCovid-19 recovery
As most of Medius Software's core business operation systems are cloud-based, it meant the business could continue as usual during the uncertainty and disruption of the pandemic. Medius did not experience any significant impact to its normal services with the software remotely deployed, maintained, supported and upgraded. Furlough was not required with all staff able to work from home utilizing equipment, systems and processes that ensured the channels of communication with clients were not affected.
To aid social value recovery, Medius has committed to its growth and increasing employment and personnel development opportunities. A policy of flexible hybrid working has also been implemented to help with employee wellbeing and to fit with changes in circumstances.Tackling economic inequality
Medius Software Ltd’s Head Office is based in Manchester, and employs a number of people from across the UK and within the local area. This has led to multiple employment opportunities being provided in the last 12 months. Medius is committed to increasing personnel development and new skills opportunities. Additionally, a policy of flexible hybrid working has been implemented to help with employee wellbeing and to fit with changes in circumstances as well as reduce the impact on the environment in relation to the office commute.
Medius also takes steps to minimise the gender pay gap and ensure that women and men are paid equally to do the same work. To ensure better outcomes for employees, Medius pays at least the National Minimum Wage, conducts an annual pay review and completes industry benchmarking exercises.Equal opportunity
Medius respects the fundamental rights and international labour standards as set out in the UN Declaration of Human Rights and in the core convention of the International Labour Organisation and publishes an annual Modern Slavery and Human Trafficking Statement.
Medius is committed to creating a working culture that respects, celebrates and harnesses differences to the benefit of customers, employees, business partners and the wider community. Equality, human rights and diversity form part of Medius’ Corporate, Social and Responsibility Policy. The principle of equal opportunities for everyone in employment is an important part of Medius’ working culture. As such, Medius aims to have:
- A workplace free from discrimination on the grounds of age; disability; gender reassignment; marriage and civil partnerships; pregnancy and maternity; race; religion or belief; sex; and sexual orientation; and
- A recruitment programme that is based solely on the objective assessment of ability, qualifications and other job-related criteria.
Medius employees are expected to respect all individuals and each other’s rights, customs and traditions; creating a workplace that this based on mutual trust, and where every person feels responsible for the performance of the company.Wellbeing
Medius invests significantly in employee wellbeing, partnering with organisations such as Unum that provide benefits free of charge to employees. These include physical and mental health support as well as online counselling.
For the wider community, the Medius Group and individual entities within it run a number of social and local initiatives. For example, in 2021 the Group selected Save the Children and donated $2,000 donation to their Afghanistan Crisis Children's Relief fund. Members of the Medius UK team have also worked with Choose Love, Mustard Tree and Manchester Homeless Donations. Medius Poland sponsors animals in a local zoo; runs a volunteer project to improve plasma donation process; and supports Ukraine by sorting and donating clothes. Medius North America donated over $700 in monetary and physical donations to two local Jacksonville charities.
Pricing
- Price
- £34,770 a licence
- Discount for educational organisations
- No
- Free trial available
- No