Zellis UK Limited

Zellis HCM (ResourceLink)

UK & Ireland’s leading integrated payroll and HR software. Our function-rich, multi-award-winning, cloud-based software is easily configured to meet the most complex requirements. It effortlessly integrates with existing systems and offers powerful reporting and analytical capabilities and user-friendly self-service interfaces. We additionally offer comprehensive background checking and job evaluation solutions.

Features

• Supports payroll, expenses, P11D, pension auto-enrolment, leave and absence
• Quickly and reliably processes large and complex payrolls
• Supports onboarding, performance management, learning & development tracking, succession planning
• Time and attendance module supports multiple schedules, rotas and shifts
• Pensions capability that works across all sectors
• Regular updates, driven by customer experience and market trends
• User-friendly any device access 24/7 for tracking, analysis and reporting
• 200+ standard reports and/or build custom reports using real-time data
• Powerful workflow-driven processes and query management with user-friendly dashboards
• ISO 27001 certification for data and information security

Benefits

• Accurate, reliable payroll readily configured to your exact requirements
• Legislative and regulatory compliance with pro-active advanced planning for changes
• Supports public sector government returns and survey requirements
• Accurate, faster pay reviews from centralised pay and reward data
• Single data source providing integrity and reduced risk of fraud
• Comprehensive, accurate, real-time information, enabling evidence-based decisions
• Controlled, automated and streamlined processes driving efficiency and cost reduction
• Enhanced employee engagement, driving productivity and retention
• Ability to integrate employee benefits, communications, recognition and wellbeing software
• Flexibility to re-configure provides enhanced future-proofing capabilities

£1.05 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidsupport@zellis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

821307292831878

Contact

Andy McKenna
0800 0420315
bidsupport@zellis.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: None.
• System requirements:
  • Customer to provision suitable firewall-router to initiate IPSec VPN
  • Use of Microsoft Edge, Google Chrome, or Apple Safari browsers
  • Appropriate hardware to support the above browsers
  • Reliable internet connectivity

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Online support is provided as standard. Phone support is chargeable extra, Support hours are 9-5:30 Monday to Friday excluding bank holidays.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Web Chat (LiveChat is accessible via the Zellis Support portal.)
• Web chat accessibility testing: N/A
• Onsite support: Yes, at extra cost
• Support levels: Our Support Helpdesk service is based in the UK and manages incidents/issues raised by customers. The support desk operational hours are 08:00 to 18:00 Monday to Friday (excluding Bank Holidays). The support desk is manned by dedicated support consultants. Calls can be made via telephone or the portal. Outside hours, calls can be logged via the support portal 24/7. Customers may subscribe to out-of-hours support service for Priority 1 incidents with a dedicated telephone line – Mon-Fri 18:00 to 22:00, Saturday and Sunday 10:00-16:00. ; The helpdesk is underpinned by a robust Incident Management System, which enables calls to be logged efficiently, issues to be managed and resolved effectively, and progress to be monitored throughout. ; Support calls are logged on our Incident Management System. All calls are acknowledged, and each call is allocated a unique call reference number. This operates 24 hours per day, 7 days per week. ; Calls are prioritised in as agreed between the support consultant and customer, based on standard Service Level Agreement (SLA) criteria. Service Level targets are published within the SLA, providing target response, resolution, and escalation times for each category of priority.; Further details of our support are provided in the accompanying Service Definition Document.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: New customer onboarding is one of the most important tasks we undertake. We appoint a dedicated Customer Success Manager (CSM) for each customer. Your CSM will work with the assigned project management team and help set you on the shortest path to value, so that you will see a return on your investment as quickly as possible. Our implementation team will support you with the expertise and knowledge to successfully transition you to your new solution.; ; During due diligence we will work with you providing several standard courses as appropriate to the solution purchased. In addition, we will conduct a training needs analysis which will enable us to identify with you additional training which may be required to successful implement and obtain the best from the solution.; ; Training is provided onsite, online and at Zellis office, a training manual is provided for each classroom training session for the attending. The Buyer employee will work through during the course and to take with them to refer to as needed.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Upon contract termination, data will be returned to the customer in a contractually agreed format in whole, or destroyed in line with GDPR requirements.
• End-of-contract process: A mutually agreed exit plan is implemented, providing continued Account Management, support and maintenance until the contract ends or as otherwise agreed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No difference however responsive design will re-size the screen depending on the device being used.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Via the API, users can create new employees (personal details, bank details, next-of-kin, post holding, cost centre etc.), change data for existing employees, and make employees leavers.; Via the API and on demand, users can request information about employees including personal details, emergency contacts, post-holding, structure unit, and cost centre.; The API can automatically notify other applications of changes in employee personal details, job or post holding details, absence information, grade, service conditions, and cost centre details.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: ResourceLink accommodates a considerable degree of configuration to meet buyer requirements. ; ; Branding facilities can be provided to allow buyer to customise your self-service portal to get the look and feel if your own organisation. The branding pack allows you to amend style sheets, to customise images, logos, fonts and colours in line with existing intranet, internet and portal website styling.; ; ResourceLink has also been designed and developed in close consultation with the independent Customer User Group and Zellis continuously work with customer feedback from our Extranet site to enhance efficiency, intuitive data input and process flows and simple navigation. ResourceLink provides the System Administrator with the ability to customise the system in line with business requirements and tables and parameter files can be defined and maintained to configure ResourceLink in line with Buyer policies and procedures to meet the needs of different types of users.; ; All configurations are then protected on an on-going basis even following system upgrades, as these user changes form part of the database and not the software.

Scaling

• Independence of resources: Peak demands are smoothed using dynamic resource re-allocation and load balancing capabilities within the infrastructure. Each virtual server has a variable allocation of CPU which may be flexed dynamically so if a virtual server is quiet it can donate resources to to others and return them.; Resilient content switches load reverse proxy service to direct to the delivery tier to provide the application.; Baseline specifications for each virtual server reflect actual usage and storage pools have reserves based on real usage statistics.

Analytics

• Service usage metrics: Yes
• Metrics types: Application performance (response times, throughput, network times etc);; Status of application servers and databases;; Resources used (memory, CPU etc)
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data is exported using ResourceLink reporting and analytic tool.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XLS
  • XML
  • PDF
  • HTML
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The SaaS-based systems are generally available for on-line use 24 hours per day, 7 days per week, excluding certain times during which housekeeping and other operational activities take place, e.g. upgrades to the SaaS infrastructure, database export routines etc. ; ; Zellis will commit to 99% availability during the Core Service Availability Period which is 08:00-18:00 on UK working days.
• Approach to resilience: Microsoft’s Azure datacentres are rated as Tier 4, offering site wide resilience and suitable environmental controls to protect the availability of systems and data. All datacentres include resilient power backed-up with UPS & generators, duplicated environmental controls, stacked network equipment, and multiple ISP links (as well as their own global network).; Azure Recovery Services Vaults and Azure SQL database services are used for in-region backup of the virtual machines and databases used to provide the service. Virtual machine discs and backups are also geo-replicated between the primary region in UK South & the DR region in UK West.; Within Microsoft Azure, a dedicated Azure Kubernetes Service (AKS) namespace is provided per customer. The Zellis HCM solution is deployed as a number of AKS containers within the namespace. Working copies of failed containers can be spawned automatically, if AKS detects said failure, and thereby provide resilience against one form of technical failure. In addition, dedicated Azure SQL databases are provided using Azure SQL Database as a Service (DBaaS). Databases are automatically replicated to different availability zones within the same Azure region, and Azure Site Recovery is implemented.
• Outage reporting: Any outages and other service-related information is shared via email to previously nominated users.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The Zellis SaaS environment is logically isolated from the corporate network and access to customer data is restricted.; Azure privileged administrative access is achieved from the Azure portal via the Azure Bastion.; Privileged access to Azure SQL is either via RBAC (Role Based Access Control) and Azure Portal, or restricted access for Database Administrators via a Jump Box with line of sight to the database.; Support access to each AKS Cluster is via both the Azure Portal (reader) and AKS Management Virtual Machine. This is by password protected SSH key and IP whitelist.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 24/07/2018
• What the ISO/IEC 27001 doesn’t cover: N/A.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Zellis' Information Security Management System (ISMS) ensures the effective management of risks to information and information systems utilising appropriate and proportional technical and organisational measures. ; ; A set of framework articles summarise measures, to assure Zellis customers and interested parties that the information entrusted to Zellis is appropriately secured, and to demonstrate Zellis’ compliance with applicable legal, legislative and regulatory requirements. ; ; The Zellis Information Security Framework comprises of 8 security domains: Access & Identity Management, Cyber Security, Data Security & Information Lifecycle, Governance, Risk & Compliance, Human Resource Security, Operations Security, Physical Security and System & Software Development Security.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a defined Quality Assurance procedure and carries out rigorous testing of new releases and upgrades within this context.; ; Functionality is tested in isolation, in conjunction with the system as a whole and by regression. We run Beta Test programs for all our releases and encourage customers to participate as and when appropriate.; ; All software changes made by our development or bespoke teams are tracked by a version control system and changes are made against a specified numbering system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Zellis receives threat intelligence and other security information from various sources. ; We operate a SIEM system. Logs from servers, network devices and database are copied to the SIEM and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC).; Monthly vulnerability scans and bi-annual penetration tests are carried out by an independent third-party consultancy who are CREST members.; • Critical patches are deployed in the production environment as soon as practically possible and without undue delay; • High priority patches are deployed within 30 days of the patch being agreed.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Logs from servers, network devices and database are copied to Zellis' Security Information and Event Management (SIEM) system and analysed by qualified Security Operations Centre (SOC) personnel for abnormal activity that may represent an Indicator of Compromise (IoC). Alerts are correlated and investigated by the SOC to determine if they are genuine IoCs. Documented response plans are in place for timely escalation and response to IoCs. The SOC operates on a 24/7/365 basis.
• Incident management type: Supplier-defined controls
• Incident management approach: We use an ITIL model across our support area. We continually analyse the incoming tickets and categories and where trends are identified an ITIL Problem process is adopted through to route cause analysis and resolution. Priority 1 issues are reviewed through the problem process for route cause analysis.; ; Incidents are reported are reported via the Zellis Support portal and incident reports are made available to the Buyer via the same system.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  N/A
• Covid-19 recovery:

  Covid-19 recovery

  Throughout the crisis, we have provided 1:1 outreach opportunities to all customers for additional support they may need. This has included: ; • Advice and guidance on remaining compliant with statutory and regulatory requirements; • Advice and guidance, to customers and external organisations, on how to apply the complex Coronavirus Job Retention Scheme rules; • Extensive support in the assessment of CJRS payments and claims for the payrolls that we manage.; • Emergency payroll support to customers whose in-house payroll teams had been impacted through Covid-19.; ; We have remained firmly committed to delivering our services to the highest possible standard while protecting the health and well-being of our colleagues, customers, and suppliers, and ensuring that the right procedures are in place to enable the safe continuation of business.; ; In the past twelve months we have made 83 net new hires into the organisation, of which 26% are people that were either made redundant because of Covid-19 or were looking to start a new career. ; ; Of these, 35% were unskilled and/or at the graduate level, 58% were skilled but had been made redundant because of the pandemic, and one was skilled and looking for their first employment opportunity in their new UK home.; ; In line with our initial response to the spread of Covid-19, we continue to have measures in place to both protect the wellbeing, health, and safety of our colleagues and to ensure, as far as possible, that they can continue carrying out their job responsibilities. We have progressed our work-from-home capabilities for all colleagues. We have rolled out additional training on privacy and security good practice in a home environment. We have reduced non-essential travel. We have reviewed and adjusted internal controls to safeguard information security and have implemented a schedule of frequent communications to provide updates and guidance.
• Tackling economic inequality:

  Tackling economic inequality

  N/A
• Equal opportunity:

  Equal opportunity

  N/A
• Wellbeing:

  Wellbeing

  N/A

Pricing

• Price: £1.05 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidsupport@zellis.com. Tell them what format you need. It will help if you say what assistive technology you use.