Zellis Human Resource Solutions HCM AIR (ResourceLink HR and Payroll)

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: Zellis will provide zellis.com domain URLs for each customer, as we do not support the use of customer-owned domain names. Please keep in mind any limitations outlined in the Zellis Fair Usage Policy. We do not offer support for your own encryption keys, or the installation of Zellis HCM Cloud into your own Azure tenant. Secure connectivity via the Internet is used therefore VPN technologies are not required. Please talk to us to discuss any legacy technologies or requirements you have become reliant upon for your HR/Payroll processes.
System requirements: Customer Azure AD for SSO and Microsoft 365 integration

Use of Microsoft Edge, Google Chrome, or Apple Safari browsers

Appropriate hardware to support the above browsers

Reliable Internet connectivity

Apple iOS or Android devices for self-service mobile app.

Appropriate Microsoft licensing for MS365 or Power Platform (if required)

Windows 10 version 1903 or above (for MS365 integration)

Microsoft 365 version 16.0.11629 or above (for MS365 integration)

Installation of Outlook Add-Ins XML manifest files (for MS365 integration).

User support

Email or online ticketing support: Email or online ticketing
Support response times: We recognise that our customers have individual needs and so we have different tiers of customer support available for our customers. Access to our customer help centre and our extensive knowledge base is available 24/7 for everyone regardless of service tier. However, response and resolution times are dependent on the priority of the case and the level of support you choose from our range of support tiers. Our multi-tier option provides differing levels of service hours from our customer support team (including 24/7 coverage if required) and enhanced service level targets alongside a range of other features.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: Web chat
Web chat support availability: 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard: None or don’t know
How the web chat support is accessible: Our live chat service is easy to use and can quickly provide answers for basic advice and guidance questions, navigational support or even to raise the priority of cases if circumstances have changed. The chat service is available 09:00 to 17:30 (UK time) Monday to Friday, excluding bank and public holidays. Extended opening hours are available to customers who subscribe to our premium support customer support service.
Our consultants will discuss your query with you, provide you with links to articles and helpful information, give you guidance on how to resolve your issue/query or open a case on your behalf should you need more detailed support with your particular case.
We take the satisfaction of our customers very seriously and users of our chat service will be asked to comment on how satisfied they were with the chat service so that we can ensure we are continuously improving the services that we deliver to our customers.
Web chat accessibility testing: N/A
Onsite support: Yes, at extra cost
Support levels: Our customer support helpdesk service manages incidents/issues raised by customers. The customer support desk standard tier operational hours are 09:00am to 17.30pm Monday to Friday (excluding Bank Holidays). The customer support helpdesk is manned by dedicated support consultants. Calls can be made via telephone, chat or via case through the customer help centre. Outside hours, calls can be logged via the customer help centre 24/7. Customers may subscribe to one of our premium tiers of customer support which provides extended opening hours, enhanced service level targets and a range of additional features.
The helpdesk is underpinned by a robust incident management system, which enables calls to be logged efficiently, issues to be managed and resolved effectively, and progress to be monitored throughout.
Customer support calls are logged on our incident management system. All calls are acknowledged, and each call is allocated a unique call reference number. This operates 24 hours per day, 7 days per week.
Calls are prioritised as agreed between the support consultant and customer, based on standard service level target (SLT) criteria. Service level targets are published within the SLT, providing target response, resolution, and escalation times for each category of priority.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: New customer onboarding is one of the most important tasks we undertake. We appoint a dedicated Customer Success Manager (CSM) for each customer. Your CSM will work with the assigned project management team and help set you on the shortest path to value, so that you will see a return on your investment as quickly as possible. Our implementation team will support you with the expertise and knowledge to successfully transition you to your new solution.
As part of onboarding new customer will be given training on our Help Centre enabling you to seek support, advice, and guidance 24/7
During due diligence we will work with you providing several standard courses as appropriate to the solution purchased. In addition, we may conduct a training needs analysis which will enable us to identify with you additional training which may be required to successful implement and obtain the best from the solution.
The Buyer employee will work through during the course and to take with them to refer to as needed.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Upon contract termination, data will be returned to the customer in a contractually agreed format in whole or destroyed in line with GDPR requirements.
End-of-contract process: A mutually agreed exit plan is implemented, providing continued Account Management, support and maintenance until the contract ends or as otherwise agreed.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: No difference however responsive design will re-size the screen depending on the device being used.
Service interface: No
User support accessibility: WCAG 2.1 AA or EN 301 549
API: Yes
What users can and can't do using the API: Zellis provides a robust and comprehensive collection of ODATA 4.0 (GET) and Java REST (PUT/POST/PATCH) APIs, comprising over 270 endpoints, designed to facilitate seamless read and write operations to and from the Zellis HCM Cloud.
These APIs are secured using HTTPS and OAuth2 authentication protocols, ensuring data integrity and confidentiality. By leveraging these APIs, your technical team or integration partners gain the capability to securely integrate with the Zellis HCM Cloud, enabling near real-time data exchange in a transactionally secure manner.
A wide range of operations are available using our suite of APIs. For example, new employees can be created or updating existing employees data including making them leavers.
Via the APIs, systems can request information about employees including personal details, emergency contacts, post-holding, structure unit, and cost centre. APIs can be used by other system to feed data lakes or data repositories.
As data from external systems feeds into the Zellis Data Model, it enriches the data set and enhances the business analytics capabilities.
The APIs via the Notification Hub can automatically notify other systems of changes in employee personal details, job or post holding details, absence information, grade, service conditions, and cost centre details.
API documentation: Yes
API documentation formats: Other
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: ResourceLink accommodates a considerable degree of configuration to meet buyer requirements.
Branding facilities can be provided to allow buyer to customise your self-service portal to get the look and feel if your own organisation. The branding pack allows you to amend style sheets, to customise images, logos, fonts and colours in line with existing intranet, internet and portal website styling.
ResourceLink has also been designed and developed in close consultation with the independent Customer User Group and Zellis continuously work with customer feedback from our Extranet site to enhance efficiency, intuitive data input and process flows and simple navigation. ResourceLink provides the System Administrator with the ability to customise the system in line with business requirements and tables and parameter files can be defined and maintained to configure ResourceLink in line with Buyer policies and procedures to meet the needs of different types of users.
All configurations are then protected on an on-going basis even following system upgrades, as these user changes form part of the database and not the software.

Scaling

Independence of resources: Microsoft Azure Kubernetes Service (AKS) orchestrates containerised application components, ensuring scalable and high-performance deployment smoothing peak demands. Each AKS pod serves a specific role in Zellis HCM Cloud, delivering dynamic functionality.
Azure SQL Elastic Pools manage databases, providing flexible resource allocation for varying usage demands. Zellis allocates a shared set of compute resources to a group of databases, optimising performance elasticity.
Each customer receives their own set of databases, ensuring data privacy and isolation, without mingling with others. This setup guarantees high transaction log throughput, even with lower compute resources, enhancing efficiency and security.

Analytics

Service usage metrics: Yes
Metrics types: Application performance (response times, throughput, network times etc);
Status of application servers and databases;
Resources used (memory, CPU etc)
Reporting types: Regular reports

Reports on request

Resellers

Supplier type: Reseller (no extras)
Organisation whose services are being resold: Cornerstone, Rotageek and Eploy

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least every 6 months
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Data is exported using ResourceLink reporting and analytic tool.
Data export formats: CSV

Other
Other data export formats: XLS

XML

PDF

HTML
Data import formats: CSV

Other
Other data import formats: JSON (Via APIs)

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: The solution is accessible 24/7, except during scheduled maintenance periods, for which we aim to give ample notice. These maintenance windows are carefully planned to minimise disruption and fall outside the Core Service Availability Period (CSAP), which is from 0800 to 1800, Monday to Friday, excluding public holidays.
Within the CSAP, our primary focus is on ensuring a robust operational environment, striving for a 99.5% availability rate, exclusive of planned maintenance that for operational or for reasons of expediency cannot be scheduled outside of the CSAP. This commitment underscores our dedication to delivering a dependable service to our customers.

Zellis will commit to 99% availability during the Core Service Availability Period which is 08:00-18:00 on UK working days.
Approach to resilience: Microsoft’s Azure datacentres are highly secure, offering site wide resilience and suitable environmental controls to protect the availability of systems and data. All datacentres include resilient power backed-up with UPS and generators, duplicated environmental controls, stacked network equipment, and multiple ISP links (as well as their own global network).
Azure Recovery Services Vaults and Azure SQL database services are used for in-region backup of the virtual machines and databases used to provide the service. Virtual machine disks and backups are also geo-replicated between the primary region in UK South and the DR region in UK West.
Within Microsoft Azure, a dedicated Azure Kubernetes Service (AKS) namespace is provided per customer. The Zellis HCM solution is deployed as a number of AKS containers within the namespace. Working copies of failed containers can be spawned automatically, if AKS detects said failure, and thereby provide resilience against one form of technical failure. In addition, dedicated Azure SQL databases are provided for each customer using Azure SQL Database as a Service (DBaaS). Databases are automatically replicated to different availability zones within the same Azure region, as well as geo-replication to the UK West Azure region.
Outage reporting: Any outages and other service-related information is shared via email to nominated users.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Username or password

Other
Other user authentication: SSO using OAuth2
Access restrictions in management interfaces and support channels: The Zellis SaaS environment is logically isolated from the corporate network and access to customer data is restricted.
Azure privileged administrative access is achieved via Azure Citadel using an Azure Bastion VM. Privileged access to Azure SQL is either via RBAC (Role Based Access Control) and Azure Portal, or restricted access for Database Administrators via a Jump Box with line of sight to the database.
Support access to each AKS Cluster is via both the Azure Portal (reader) and AKS Management Virtual Machine. This is by password protected SSH key and IP whitelist.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Username or password

Audit information for users

Access to user activity audit information: You control when users can access audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users have access to real-time audit information
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: SGS UK Ltd
ISO/IEC 27001 accreditation date: 24/07/2018
What the ISO/IEC 27001 doesn’t cover: N/A.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: CSA CCM version 3.0

ISO/IEC 27001
Information security policies and processes: Zellis' Information Security Management System (ISMS) ensures the effective management of risks to information and information systems utilising appropriate and proportional technical and organisational measures.
The Chief Information Security Officer (CISO) has overall accountability for Information and Cyber Security within Zellis, reporting to the Chief Product and Technology Officer (CPTO), and with formal reporting lines to the Chief Executive Officer (CEO), ensuring executive oversight.
The Security Leadership team reporting to the CISO is responsible for information and cyber security functions and services within Zellis, A dedicated team of security specialists (Security team) report into the leadership team to deliver the information and cyber security practice.
A set of framework articles summarise measures, to assure Zellis customers and interested parties that the information entrusted to Zellis is appropriately secured, and to demonstrate Zellis’ compliance with applicable legal, legislative, and regulatory requirements.
The Zellis Information Security Framework comprises of eight security domains: Access & Identity Management, Cyber Security, Data Security & Information Lifecycle, Governance, Risk and Compliance, Human Resource Security, Operations Security, Physical Security and System and Software Development Security.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: We have a defined Quality Assurance procedure and carries out rigorous testing of new releases and upgrades within this context.
Functionality is tested in isolation, in conjunction with the system as a whole and by regression. We run Beta Test programs for all our releases and encourage customers to participate as and when appropriate.
All software changes made by our development or bespoke teams are tracked by a version control system and changes are made against a specified numbering system.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Zellis receives threat intelligence and other security information from various sources.
We operate a SIEM system. Logs from servers, network devices and database are copied to the SIEM and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC).
Monthly vulnerability scans and bi-annual penetration tests are carried out by an independent third-party consultancy who are CREST members.
Critical patches are deployed in the production environment as soon as practically possible and without undue delay. High priority patches are deployed within 30 days of the patch being agreed.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Logs from servers, network devices and database are copied to Zellis' Security Information and Event Management (SIEM) system and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC). Alerts are correlated and investigated by the SOC to determine if they are genuine IoCs. Documented response plans are in place for timely escalation and response to IoCs. The SOC operates on a 24/7/365 basis.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: We use an ITIL model across our support area. We continually analyse the incoming tickets and categories and where trends are identified an ITIL Problem process is adopted through to route cause analysis and resolution. Priority 1 issues are reviewed through the problem process for route cause analysis.

Incidents are reported are reported via the Zellis Support portal and incident reports are made available to the Buyer via the same system.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

In 2022 Zellis Group launched its ESG Framework, setting out 5-year ambitions across three areas of influence: Wellbeing for all; Diversity of thought and experiences; and Strong Communities.
We believe that as a business we have an obligation to protect our environment for future generations and have made a commitment to become operationally Net Zero by 2027 and Net Zero across all scopes by 2040, in line with the Science Based Targets Initiative (SBTi).
This ambitious target engages our whole value chain, including suppliers, colleagues, and customers.
There are five principles underpinning our environment programme:
1. Reporting and governance including a cross-functional environment working group, with Board oversight.
2. Reducing the impact from our office footprint through the procurement of renewable energy.
3. Reducing the impact of business-related travel through continued hybrid working and promoting use of public transport where travel is necessary.
4. Encouraging colleagues to play their part with regular updates and mandatory Annual Compliance Training.
5. Reducing our supply chain carbon footprint by collaborating with suppliers, factoring environmental actions and KPIs into tender processes and supplier assurance, including requirements for science-based targets in our standard terms and conditions.
In addition, we’re working to minimise the environmental impact of our products and services through promoting the uptake of HCM Cloud and digital payslips over on-premise software and paper payslips.
In the spirit of transparency, we report on our carbon emissions and climate transition plan annually through the CDP disclosure platform and publish our emissions and targets on our website.
The following KPIs are monitored each financial year:
•Electricity consumption (total)
•Renewable electricity consumption
•Gas and diesel consumption
•Number of paper payslips and customer documents printed
•Scope 1, 2, and 3, emissions
We welcome feedback from our colleagues, customers, and community members to improve our environmental programme and performance.

Pricing

Price: £0.92 a licence
Discount for educational organisations: No
Free trial available: No

Zellis Human Resource Solutions HCM AIR (ResourceLink HR and Payroll)

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Zellis Human Resource Solutions HCM AIR (ResourceLink HR and Payroll)

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents