Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 2: Cloud software
  3. Zellis HCM (ResourceLink)
Zellis UK Limited

Zellis HCM (ResourceLink)

UK & Ireland’s leading integrated payroll and HR software. Our function-rich, multi-award-winning, cloud-based software is easily configured to meet the most complex requirements. It effortlessly integrates with existing systems and offers powerful reporting and analytical capabilities and user-friendly self-service interfaces. We additionally offer comprehensive background checking and job evaluation solutions.


  • Supports payroll, expenses, P11D, pension auto-enrolment, leave and absence
  • Quickly and reliably processes large and complex payrolls
  • Supports onboarding, performance management, learning & development tracking, succession planning
  • Time and attendance module supports multiple schedules, rotas and shifts
  • Pensions capability that works across all sectors
  • Regular updates, driven by customer experience and market trends
  • User-friendly any device access 24/7 for tracking, analysis and reporting
  • 200+ standard reports and/or build custom reports using real-time data
  • Powerful workflow-driven processes and query management with user-friendly dashboards
  • ISO 27001 certification for data and information security


  • Accurate, reliable payroll readily configured to your exact requirements
  • Legislative and regulatory compliance with pro-active advanced planning for changes
  • Supports public sector government returns and survey requirements
  • Accurate, faster pay reviews from centralised pay and reward data
  • Single data source providing integrity and reduced risk of fraud
  • Comprehensive, accurate, real-time information, enabling evidence-based decisions
  • Controlled, automated and streamlined processes driving efficiency and cost reduction
  • Enhanced employee engagement, driving productivity and retention
  • Ability to integrate employee benefits, communications, recognition and wellbeing software
  • Flexibility to re-configure provides enhanced future-proofing capabilities


£1.05 a licence

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

8 2 1 3 0 7 2 9 2 8 3 1 8 7 8


Zellis UK Limited Andy McKenna
Telephone: 0800 0420315

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
  • Customer to provision suitable firewall-router to initiate IPSec VPN
  • Use of Microsoft Edge, Google Chrome, or Apple Safari browsers
  • Appropriate hardware to support the above browsers
  • Reliable internet connectivity

User support

Email or online ticketing support
Email or online ticketing
Support response times
Online support is provided as standard. Phone support is chargeable extra, Support hours are 9-5:30 Monday to Friday excluding bank holidays.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Web Chat (LiveChat is accessible via the Zellis Support portal.)
Web chat accessibility testing
Onsite support
Yes, at extra cost
Support levels
Our Support Helpdesk service is based in the UK and manages incidents/issues raised by customers. The support desk operational hours are 08:00 to 18:00 Monday to Friday (excluding Bank Holidays). The support desk is manned by dedicated support consultants. Calls can be made via telephone or the portal. Outside hours, calls can be logged via the support portal 24/7. Customers may subscribe to out-of-hours support service for Priority 1 incidents with a dedicated telephone line – Mon-Fri 18:00 to 22:00, Saturday and Sunday 10:00-16:00.
The helpdesk is underpinned by a robust Incident Management System, which enables calls to be logged efficiently, issues to be managed and resolved effectively, and progress to be monitored throughout.
Support calls are logged on our Incident Management System. All calls are acknowledged, and each call is allocated a unique call reference number. This operates 24 hours per day, 7 days per week.
Calls are prioritised in as agreed between the support consultant and customer, based on standard Service Level Agreement (SLA) criteria. Service Level targets are published within the SLA, providing target response, resolution, and escalation times for each category of priority.
Further details of our support are provided in the accompanying Service Definition Document.
Support available to third parties

Onboarding and offboarding

Getting started
New customer onboarding is one of the most important tasks we undertake. We appoint a dedicated Customer Success Manager (CSM) for each customer. Your CSM will work with the assigned project management team and help set you on the shortest path to value, so that you will see a return on your investment as quickly as possible. Our implementation team will support you with the expertise and knowledge to successfully transition you to your new solution.

During due diligence we will work with you providing several standard courses as appropriate to the solution purchased. In addition, we will conduct a training needs analysis which will enable us to identify with you additional training which may be required to successful implement and obtain the best from the solution.

Training is provided onsite, online and at Zellis office, a training manual is provided for each classroom training session for the attending. The Buyer employee will work through during the course and to take with them to refer to as needed.
Service documentation
Documentation formats
End-of-contract data extraction
Upon contract termination, data will be returned to the customer in a contractually agreed format in whole, or destroyed in line with GDPR requirements.
End-of-contract process
A mutually agreed exit plan is implemented, providing continued Account Management, support and maintenance until the contract ends or as otherwise agreed.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Chrome
  • Safari
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
No difference however responsive design will re-size the screen depending on the device being used.
Service interface
User support accessibility
None or don’t know
What users can and can't do using the API
Via the API, users can create new employees (personal details, bank details, next-of-kin, post holding, cost centre etc.), change data for existing employees, and make employees leavers.
Via the API and on demand, users can request information about employees including personal details, emergency contacts, post-holding, structure unit, and cost centre.
The API can automatically notify other applications of changes in employee personal details, job or post holding details, absence information, grade, service conditions, and cost centre details.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
ResourceLink accommodates a considerable degree of configuration to meet buyer requirements.

Branding facilities can be provided to allow buyer to customise your self-service portal to get the look and feel if your own organisation. The branding pack allows you to amend style sheets, to customise images, logos, fonts and colours in line with existing intranet, internet and portal website styling.

ResourceLink has also been designed and developed in close consultation with the independent Customer User Group and Zellis continuously work with customer feedback from our Extranet site to enhance efficiency, intuitive data input and process flows and simple navigation. ResourceLink provides the System Administrator with the ability to customise the system in line with business requirements and tables and parameter files can be defined and maintained to configure ResourceLink in line with Buyer policies and procedures to meet the needs of different types of users.

All configurations are then protected on an on-going basis even following system upgrades, as these user changes form part of the database and not the software.


Independence of resources
Peak demands are smoothed using dynamic resource re-allocation and load balancing capabilities within the infrastructure. Each virtual server has a variable allocation of CPU which may be flexed dynamically so if a virtual server is quiet it can donate resources to to others and return them.
Resilient content switches load reverse proxy service to direct to the delivery tier to provide the application.
Baseline specifications for each virtual server reflect actual usage and storage pools have reserves based on real usage statistics.


Service usage metrics
Metrics types
Application performance (response times, throughput, network times etc);
Status of application servers and databases;
Resources used (memory, CPU etc)
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data is exported using ResourceLink reporting and analytic tool.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • XML
  • PDF
  • HTML
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The SaaS-based systems are generally available for on-line use 24 hours per day, 7 days per week, excluding certain times during which housekeeping and other operational activities take place, e.g. upgrades to the SaaS infrastructure, database export routines etc.

Zellis will commit to 99% availability during the Core Service Availability Period which is 08:00-18:00 on UK working days.
Approach to resilience
Microsoft’s Azure datacentres are rated as Tier 4, offering site wide resilience and suitable environmental controls to protect the availability of systems and data. All datacentres include resilient power backed-up with UPS & generators, duplicated environmental controls, stacked network equipment, and multiple ISP links (as well as their own global network).
Azure Recovery Services Vaults and Azure SQL database services are used for in-region backup of the virtual machines and databases used to provide the service. Virtual machine discs and backups are also geo-replicated between the primary region in UK South & the DR region in UK West.
Within Microsoft Azure, a dedicated Azure Kubernetes Service (AKS) namespace is provided per customer. The Zellis HCM solution is deployed as a number of AKS containers within the namespace. Working copies of failed containers can be spawned automatically, if AKS detects said failure, and thereby provide resilience against one form of technical failure. In addition, dedicated Azure SQL databases are provided using Azure SQL Database as a Service (DBaaS). Databases are automatically replicated to different availability zones within the same Azure region, and Azure Site Recovery is implemented.
Outage reporting
Any outages and other service-related information is shared via email to previously nominated users.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
The Zellis SaaS environment is logically isolated from the corporate network and access to customer data is restricted.
Azure privileged administrative access is achieved from the Azure portal via the Azure Bastion.
Privileged access to Azure SQL is either via RBAC (Role Based Access Control) and Azure Portal, or restricted access for Database Administrators via a Jump Box with line of sight to the database.
Support access to each AKS Cluster is via both the Azure Portal (reader) and AKS Management Virtual Machine. This is by password protected SSH key and IP whitelist.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Zellis' Information Security Management System (ISMS) ensures the effective management of risks to information and information systems utilising appropriate and proportional technical and organisational measures.

A set of framework articles summarise measures, to assure Zellis customers and interested parties that the information entrusted to Zellis is appropriately secured, and to demonstrate Zellis’ compliance with applicable legal, legislative and regulatory requirements.

The Zellis Information Security Framework comprises of 8 security domains: Access & Identity Management, Cyber Security, Data Security & Information Lifecycle, Governance, Risk & Compliance, Human Resource Security, Operations Security, Physical Security and System & Software Development Security.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have a defined Quality Assurance procedure and carries out rigorous testing of new releases and upgrades within this context.

Functionality is tested in isolation, in conjunction with the system as a whole and by regression. We run Beta Test programs for all our releases and encourage customers to participate as and when appropriate.

All software changes made by our development or bespoke teams are tracked by a version control system and changes are made against a specified numbering system.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Zellis receives threat intelligence and other security information from various sources.
We operate a SIEM system. Logs from servers, network devices and database are copied to the SIEM and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC).
Monthly vulnerability scans and bi-annual penetration tests are carried out by an independent third-party consultancy who are CREST members.
• Critical patches are deployed in the production environment as soon as practically possible and without undue delay
• High priority patches are deployed within 30 days of the patch being agreed.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Logs from servers, network devices and database are copied to Zellis' Security Information and Event Management (SIEM) system and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC). Alerts are correlated and investigated by the SOC to determine if they are genuine IoCs. Documented response plans are in place for timely escalation and response to IoCs. The SOC operates on a 24/7/365 basis.
Incident management type
Supplier-defined controls
Incident management approach
We use an ITIL model across our support area. We continually analyse the incoming tickets and categories and where trends are identified an ITIL Problem process is adopted through to route cause analysis and resolution. Priority 1 issues are reviewed through the problem process for route cause analysis.

Incidents are reported are reported via the Zellis Support portal and incident reports are made available to the Buyer via the same system.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

Covid-19 recovery

Covid-19 recovery

Throughout the crisis, we have provided 1:1 outreach opportunities to all customers for additional support they may need. This has included:
• Advice and guidance on remaining compliant with statutory and regulatory requirements
• Advice and guidance, to customers and external organisations, on how to apply the complex Coronavirus Job Retention Scheme rules
• Extensive support in the assessment of CJRS payments and claims for the payrolls that we manage.
• Emergency payroll support to customers whose in-house payroll teams had been impacted through Covid-19.

We have remained firmly committed to delivering our services to the highest possible standard while protecting the health and well-being of our colleagues, customers, and suppliers, and ensuring that the right procedures are in place to enable the safe continuation of business.

In the past twelve months we have made 83 net new hires into the organisation, of which 26% are people that were either made redundant because of Covid-19 or were looking to start a new career.

Of these, 35% were unskilled and/or at the graduate level, 58% were skilled but had been made redundant because of the pandemic, and one was skilled and looking for their first employment opportunity in their new UK home.

In line with our initial response to the spread of Covid-19, we continue to have measures in place to both protect the wellbeing, health, and safety of our colleagues and to ensure, as far as possible, that they can continue carrying out their job responsibilities. We have progressed our work-from-home capabilities for all colleagues. We have rolled out additional training on privacy and security good practice in a home environment. We have reduced non-essential travel. We have reviewed and adjusted internal controls to safeguard information security and have implemented a schedule of frequent communications to provide updates and guidance.
Tackling economic inequality

Tackling economic inequality

Equal opportunity

Equal opportunity





£1.05 a licence
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.