Symphony
Provision of EPoS Solution for catering outlets
Features
- State-of-the-art EPOS Systems
- Omni-channel Payment Solutions
- Loyalty & Rewards
- Online Ordering with Preorder
- Stock Management Software
- Business Intelligence and Analytics
- Merchant Services for lower payment processing fees
- Manage multi-site complex operations from a single view
- Cross-platform available on Windows, Android and iOS.
- Installation, maintenance, support and loan device options available
Benefits
- manage stock and inventory accurately
- provide an online ordering platform for food ordering
- Provide a fully compliant cloud based EPOS solution
- Full loyalty solution for customer engagement and reward
- live dashboard view of entire EPOS estate on mobile device
Pricing
£240 to £480 a licence a year
- Education pricing available
- Free trial available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at pjewell@mcr-systems.co.uk.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 14
Service ID
6 6 1 9 5 8 0 4 4 2 9 1 6 9 4
Contact
MCR SYSTEMS LIMITED
Paul Jewell
Telephone: 0116 225 3462
Email: pjewell@mcr-systems.co.uk
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- Most releases are non-impacting, however, from time to time, maintenance is required, and any downtime is communicated well in advance. Our EPOS technology does offer offline capability to accommodate both our maintenance, and maintenance or downtime experienced on your local communications. Our system uptime for the previous 90 days is 99.9% across all services.
- System requirements
-
- Data Point: 1 x Network Outlet
- TCP/IP: Static or DHCP
- Segregated VLAN
- 2 x 13A Mains power supply within 1m
- Internet Connection (minimum 10Mb ADSL/DSL recommended)
- Firewall changes to support certificate authorities
- Option to be configured to operate with Proxy Servers
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
45 mins to 8hr fix dependent on agreed SLA and KPI.
45 mins - Priority 1 as in cant trade through to a report wont export IE 8hrs. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), 7 days a week
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 A
- Web chat accessibility testing
- The webchat screen is a triage element hosted within the MCR website which is WCAG2.1A rated. This can result in a support call being solved, or triage and a support call being lodged and a support desk analyst contacting the customer.
- Onsite support
- Yes, at extra cost
- Support levels
-
PRIORITY: Priority call out (within 3-business days), loan device, full access to the Support Deck and remote support. Up to 2x on-site callouts per POS Terminal device per contract year is included within this service.
ENHANCED: As above in Priority (same or next business day), plus includes parts and labour for the POS terminal, including screen, main-board, power supply, but excludes replacement of parts for faults diagnosed as Hard Drive/SSD or related to hardware faults of peripheral devices (MSR, printers etc). Up to 3x on-site callouts or replacement part services per device per contract year are included within this service.
ENHANCED PLUS: As above however Up to 5x on-site callouts or replacement part services per device per contract year are included within this service.
MCR supplies a named and dedicated AM as a daily contact and they run weekly and monthly check-ins and a full quarterly business review attended by Head of Support, Commercial, and the dedicated project Manager.
All costs include SAAS support and the support costs are determined by level and hours covered, ranging from £10 a month per device through to £50 - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Initial consultancy meetings will be held to establish the primary goals and functional requirements of the client, identify stakeholders, and understand deployment timelines. The MCR Project Management team are Prince2 trained. The assigned MCR PM/Consultant will find the ‘best-fit’ strategy for implementing the deployment of Symphony to meet these requirements, with the aim of delivering accurate and invaluable data to the right members of your management team at the right time to enable strategic decision making. Part of this process will include defining user roles within the clients’ business, establishing a training plan, and confirming the site structure within the database.
Full project plan is shared with agreed project meetings and milestone meetings, to include all system build, install and training from project kick off to Go-Live.
All training materials are issued post training with access to multiple online learning tools and reference materials including webinars and full illustrated release notes. - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
-
- .xls
- Wiki links
- Webinars
- Video tutorials
- Illustrated release notes
- Hard copy - discouraged where possible
- End-of-contract data extraction
-
Users can run reports and extract data in html, .xls, .csv. PDF and Word formats. In addition, we provide a full data export file to customer SFTP server either the morning after the days before trading, or live throughout the trading day.
MCR can export data if agreed with the client to assist with any offboarding or audit exercises. - End-of-contract process
-
The contract is pre-agreed before going live, this will cover all onboarding costs, training, hardware, set up and install as well as license and ongoing SAAS licenses as examples.
Prices are usually subject to CPI increase at the anniversary of the go live date, however for multi-year contracts price increases maybe frozen for initial term. Contracts go up in prices if you increase the size of your estate (Relative to number of licences) and if you take additional services not taken on commencement,
Off boarding runs the project in revers, once notice is given and exit dates agreed, your MCR PM will take you through the offboarding process, including any data exports, reports etc.
The client owns the hardware and they may choose to use this with another supplier, should they not, then dependent on age of device MCR may look at buying back or offer a full WEE Disposal service.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Windows
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- Built specifically for mobile and tablet, the solution is device aware and browser agnostic - resizing to maximise the space available.
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 A
- Description of service interface
- Dependant on the required service, a number of APIs are available.
- Accessibility standards
- WCAG 2.1 A
- Accessibility testing
- Mixture of tooling - including Google Lighthouse for testing.
- API
- Yes
- What users can and can't do using the API
- APIs available to import products, prices, operators and additional metadata
- API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- The solution is completely configurable. System administrators within the client have the ability to customize the solution in every aspect from product, through promotions, stock, loyalty and loyalty rules and pre-order solution. Screens can be customized and completely bespoke by outlet or even POS point.
Scaling
- Independence of resources
- We are able to scale out and up the infrastructure as needed depending on demand and time of year for example.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Depending on the detail required, it can be available via various routes.
- Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
-
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Data sanitisation process
- No
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can run reports and export this data. In addition MCR have a module which can export more detailed information on a scheduled basis.
- Data export formats
-
- CSV
- Other
- Other data export formats
-
- XLS
- DOC
- HTML
- JSON
- Data import formats
-
- CSV
- Other
- Other data import formats
-
- XML
- JSON
- XLS
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
MCR Systems hosting is via our hosting partner, GTT, who we are entering our 10th year in partnership with. We have a primary hosting centre near London and a live DR site in Slough. The platform is covered under AoC as a SAQ-D solution as well as cyber essentials. MCR have a 24/7/365 team monitoring security events and incidents utilising the very latest SIEM (Security Information and Event Management) and FIM (File Integrity Monitoring) software and uses next generation firewalls as well as data base level encryption. MCR databases automatically replicate on to alternative servers using the high availability servers so downtime is less then 1% across a 12 month period. Our hosting platform is fully assessed by an external Qualified Security Assessor as SAQ-A and SAQ-P2PE PCI DSS Compliant and our Data Processor is registered with the ICO. We have a full DR with defined RPO and RTO failover procedures.
We have a target of system uptime availability of 99% across a 12 month period. - Approach to resilience
- MCR Systems hosting is via our hosting partner, GTT, who we are entering our 10th year in partnership with. We have a primary hosting centre near London and a live DR site in Slough. The platform is covered under AoC as a SAQ-D solution as well as cyber essentials. MCR have a 24/7/365 team monitoring security events and incidents utilising the very latest SIEM (Security Information and Event Management) and FIM (File Integrity Monitoring) software and uses next generation firewalls as well as data base level encryption. MCR databases automatically replicate on to alternative servers using the high availability servers so downtime is less then 1% across a 12 month period. Our hosting platform is fully assessed by an external Qualified Security Assessor as SAQ-A and SAQ-P2PE PCI DSS Compliant and our Data Processor is registered with the ICO. We have a full DR with defined RPO and RTO failover procedures.
- Outage reporting
- There is a public dashboard which customers can view to see whether any services are down. In addition, there are email alerts. Finally, major customers will be contacted by telephone for significant outages.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
- User role based access management.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- Between 1 month and 6 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- Between 1 month and 6 months
- How long system logs are stored for
- Between 6 months and 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Intertek
- ISO/IEC 27001 accreditation date
- 31/08/2023
- What the ISO/IEC 27001 doesn’t cover
- The protection of data during the sales, design & development, delivery, support and and maintenance of a POS solution and support services in accordance with Statement of Applicability issue 1.0.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- Yes
- Who accredited the PCI DSS certification
- Claranet Limited
- PCI DSS accreditation date
- 22/03/2024
- What the PCI DSS doesn’t cover
- AOC available.
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
MCR Systems have multiple policies and processes as part of ISO27001 including, but not limited to, policies on:
Information Security Policy; Governance Reporting; Starter, Leavers and Changes; Security Training; PCI DSS Security Training; Password and MFA; Systems Service Provider; Access Control; BYOD policy; Acceptable Usage; Clean Desk; Visitors; Risk Management; Incident Response; Data Classification; Data Protection and GDPR; Data Retention and Removal; Data Breach; Asset Management; Patch Management; BCP and DR; Software Development; Change Control; Cloud Services; PCI DSS Acknowledgement; P2PE Instructions; IT Security Testing; Logging and Monitoring; Endpoint Security; Network Management; Vulnerability Management; Physical Security; Data Encryption; Firewall Policy.
These policies are distributed using the KnowBe4 software at least once a year and have to be acknowledged by all employees.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- MCR Systems have robust configuration and change management processes and this is reviewed as part of ISO 27001 and PCI DSS audits. All changes must be approved at a weekly CAB meeting. In addition the change request must include testing results, security considerations and a rollback plan as well as implementation and communication plans.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
Potential Threats are identified by multiple sources such as SOC, our third party managed security provider, software suppliers (e.g. MSRC notifications), other security sources, ASV scans, pen tests.
These threats are assessed and ranked with consideration also given to technical constraints, customer impact and compensatory controls.
Critical/zero day vulnerabilities are patched as soon as physically possible. Other vulnerabilities are patched between 7 and 30 days depending upon their risk and assessment ranking. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Potential compromises could be identified by multiple sources such as IOCs on the SIEM, users reporting unexpected behaviors, our SOC team seeing suspicious activities. MCR have a data breach policy which is followed. The response depends on the circumstance and usually include a mixture or all of the following: detection, initial investigation and analysis, isolation and containment, impact assessment, communication to stakeholders, forensics investigation, recovery or restores, mitigations, lessons learnt and policy reviews. The speed of the response depends on the risk of the incident but are usually treated as urgent (GDPR which has a 72 hour reporting requirement).
- Incident management type
- Supplier-defined controls
- Incident management approach
- MCR Systems has pre defined processes in a security incident response policy for common events. Users report incidents via telephone, email or logging tickets from their desktop. Reports are created manually for major incidents.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Equal opportunity
- Wellbeing
Fighting climate change
The hospitality industry now can calculate the greenhouse gas footprint of menus, and our solution has the ability to have this information displayed on the till under product information along with allergen and nutritional content in all POS journeys, Self-serve journeys and within the APP.
Should you make use of the MCR native label printing and you may print a label for a made product on site IE a Sandwich containing this information also. Please bear in mind appropriate label sizing so that all information on the label is clearly legible. The label module will pick up label sizes for more environmentally friendly labels should you choose to print them .
As part of our journey to ISO 14001 – we have closely looked at how our activities impact not just the environment but our immediate environment and have swapped packaging to be compostable and fully recycled and recyclable where possible.
We have switched from packing “wotsits” to a a recycled and compostable packaging, including the outer boxes where possible, we ask supplier to use recycled materials and limit the contents of non recyclable materials.
We have started to measure our carbon footprint with targets over the next 12 months, 3 and 5years to reduce this significantly.
We have a full e-receipt module to remove the requirement for printed receipts and we also offer a full kitchen management solution to further reduce the requirement to print.Equal opportunity
We strive to ensure that we carry out actions and conduct our business in a progressively moral and ethical manner. Acting ethically is one of the underlying principles of our Company and its business. Our aim is to ensure consistent and fair treatment of each other and to uphold the professional standards that we expect. This means, among other things, that we conduct our work and our internal and external professional relationships with integrity and in line with all relevant professional standards and guidelines.
This Policy is written in accordance with the Equality Act (2010), and its purpose is to:
▪ provide equality, fairness and respect for all in our employment, whether temporary, part-time or full-time,
▪ not unlawfully discriminate because of the Equality Act protected characteristics of age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origin), religion or belief, sex (gender) and sexual orientation,
▪ oppose and avoid all forms of unlawful discrimination. This includes in pay and benefits, terms and conditions of employment, dealing with grievances and discipline, dismissal, redundancy, leave for parents, requests for flexible working, and selection for employment, promotion, training or other developmental opportunities.
The Equality Act brings together 116 pieces of separate discrimination law to provide a legal framework to protect the rights of individuals and advance equality of opportunity for all.
Our full policy is available for review on requestWellbeing
We have recently launched Mental health first aid courses for our employees and are conscious to provide to everybody the tools and environment for them to feel valued, supported and understood.
We are a very inclusive company with weekly news bulletins containing full department and company updates along with a full in person quarterly townhall meeting in a social setting.
Pricing
- Price
- £240 to £480 a licence a year
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- A full proof of concept SOW is agreed, with defined time periods and defined success criteria, with the pre-agreement that should criteria be met then a contract is agreed.
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at pjewell@mcr-systems.co.uk.
Tell them what format you need. It will help if you say what assistive technology you use.