EU Supply Limited

DPS Dynamic Purchasing System

Mercell (EU Supply) eProcurement allows compliant tenders above and below threshold with UK Procurement Forms integration. Configurable SQ/PQQ and online questionnaires, document libraries and process workflows with easy to use templates. e-Tendering integrates with DPS, eEvaluation, eVendor, Contract Management with automatic passing of data and single login.

Features

• Simple, easy to use to do checklists for fast adoption
• Online and configurable structured questionnaires e.g. CCS SQ
• Shared document libraries, Windows style folders and files
• Secure messaging with file attachments
• Manage your own e-tender team with different access rights
• Unlimited workspaces holding related tenders by department, value or category
• Access searchable EU-Supply UK database; over 90,000 registered suppliers
• Configurable procurement templates e.g. Restricted / Formal Tender, Quick-Quotes, DPS
• Dedicated eTender URL and branded landing page
• Integrates with e-Contract Management, DPS, Quick Quotes/RFQ, e-Evaluation, e-Vendor

Benefits

• To-do lists enable significantly faster tender launches: less human errors
• Reusing tenders and SQ/PQQ templates saves time
• Supplier SQ/PQQ responses saved; only needs validation next time
• Creation of standard Document libraries for collaboration and sharing
• Distance working or working from home capability
• Audit trail of each tender for transparency and legal compliance
• Configurable to match your organisations internal policies and procedures
• Manage your projects, suppliers and contracts from a single interface
• Ensure brand visibility by tailoring your page
• Collaboration across other organisations – Frameworks, DPS and mini competitions

£4,500 to £39,000 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.south@mercell.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

822619802419540

Contact

Richard South
07969 356042
richard.south@mercell.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No constraints
• System requirements: Internet access and web browser to operate

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Immediate acknowledgement (under 1 hour) and ticket number issued. Response times thereafter are:; ; Priority LOW - 16hr; Priority MEDIUM - 5hr; Priority HIGH - 3hr 30min; Priority CRITICAL - Under 3hr; ; Automated response over weekends
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: The Mercell / EU Supply Ltd Service Desk may be reached by phone, email or through a Support Website ticket process. All these options are part of the offering at no additional cost. Support will be provided to all suppliers/contractors as well as all super users of the system, who have obtained user training. Such support will be provided during normal business hours 0900-1700 Mon-Fri (excl. Bank Holidays) unless otherwise agreed. All clients are assigned an Account Manager and Client Success Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Authority makes a request to join the system via contacting EU Supply (phone or via email) and completes a simple initialisation form with the Authority details and buyer details.; Upon receipt of a Purchase Order, the Authority is set up in the system both on the live production site and a demo/training site. Standard procurement templates are loaded for the Authority.; The secure log in is sent to the Administrator of the Authority. The Administrator of the Authority can access guidance and training material and create additional users as per the Purchase Order.; Authority can go live and start publishing tenders within one day of receipt of online form and the PO.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Authority has to give written notice of termination and then the archive facility will be switched on to allow the Authority to download the tender data. There is no additional cost for this.
• End-of-contract process: Authority has to give written notice of termination and then the archive facility will be switched on to allow the Authority to download the tender data. There is no additional cost for this.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Visually smaller due to scale of mobile devices. Pinch & Zoom gesture may be required for certain areas.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Online SAAS system with login page for Buyer / Supplier and home screen presenting all options surrounding eTendering and Contract Management.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: Service meets a mixture of WCAG 2.1 A and 2.1 AA
• API: No
• Customisation available: Yes
• Description of customisation: Additional modules can be added, users can customise workflows, workspaces, vocabulary can be adjusted. Done from within the system itself. Done by system nominated Administrators / Super-Users.

Scaling

• Independence of resources: The current loading of the platform is closely monitored and is kept below 30% of the capacity to cater for rapid increase of service load. Additional servers can be added easily to increase the capacity if required. Application infrastructure supports web servers to be fully scalable. Additional web servers can be added on-demand.

Analytics

• Service usage metrics: Yes
• Metrics types: System reporting provides user metrics
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Archive module allows for exporting of tender data into readable files and folders using common office PC programs (e.g. Word, Excel)
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Word
  • Excel
  • PDF
  • XML
  • HTML Webpage
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Excel
  • Word

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Minimum SLA is 98% during Working Hours, but target and currently achieving 99.8% over the last few years.
• Approach to resilience: High Availability(HA) infrastructure designed to host CTM application with redundancy of resources at all levels.; • HA pair of Front firewalls for service boundary protection to accept the incoming HTTPS connections.; • A second tier of HA pair of firewalls exists between the web servers and the backend databases.; • Web servers are clustered to provide redundancy and scalability.; • Database mirroring technology is used to maintain Primary-Secondary database instances as hot standby server with automatic rapid failover support; • All file storages are replicated to a secondary location; • Backups are taken into disaster recovery location using secured connection through IPSec tunnel
• Outage reporting: Public dashboard and email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Other user authentication: Optional SSO
• Access restrictions in management interfaces and support channels: Access to management interfaces are protected by Secure VPN access and 2-factor authentication.; Role-based access controls for information systems are established to incorporate only “need to provide” legitimate limited access to meet business needs.; Access to the resources on the EU-Supply network, computing, information systems and peripherals is strictly controlled to prevent unauthorised access.; administration access within the EU-Supply infrastructure is restricted to those persons who are qualified and authorised to perform systems administration / management functions. Even then, such access are performed under dual control requiring the specific and documented approval of Change Requests.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: MSECB
• ISO/IEC 27001 accreditation date: 20/09/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO 9001
  • ISO20000
  • ISO 14001
  • ICO Data Protection Registration
  • RMADS ISMS

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Confidentiality of information is guaranteed as part of our integrated information management system. This has been implemented and refined since 2009 to safe guard EU-Supply IPRs, security of its information and services, quality of its services and projects, and this integrated management system has been certified ISO 27001:2013, ISO 9001:2015, ISO 20000-1:2011 and ISO 14001:2015 for all business processes across the group, with certifications all performed by PECB accredited certification body. All access to the system delivered as Software as a Service is via secure user authentication. Only users with access to documents and workspaces can view, edit or download information and manage workflow. There is logical separation between workspaces and user profiles.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Configuration and change management process described in EU-Supply’s Information Security Management System(ISMS) which is ISO/IEC 27001 certified:; • All changes in are subject to Change control process and are to be tested prior to deployment; • All changes need to be analysed for risk of applying/not-applying change; • All changes needs a formal Change request form to be filled in by the requestor which includes time-plan, detailed steps, responsible, rollback plan etc for any change and sent to ISF (Information security forum) for approval; • Upon approval of ISF, changes are applied; • ISF maintains changes in the Change Record
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: It is the policy of EU-Supply to ensure that vendor supplied security patches of Software/OS/3rd party components in use are applied in a timely manner.; Patches are subject to Change Control Process and are to be tested before deployment.; Patches are obtained from the relevant support provider.; Identified critical security patches are installed as soon as practicable.; A variety of sources of critical patch information are to be used. Examples include Vendor websites, vulnerability websites, vulnerability scans carried out by the systems security team and directly from the Support provider support team.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: A number of monitoring control features are in use, including "internal" (through System Center Operations Administrator SCOM) as well as "external", such as Site scanner service to monitor external access of websites.; There are other logging features also enabled such as IIS logs, firewall logs, URL traces, error logs etc. EU-Supply operations team monitors such alerts and logs proactively to identify potential problems and find remedy.; If a potential compromise is discovered then it is dealt according to severity classification as laid in Incidence response procedure in Eu-Supply Information Security Management System(ISMS) which is ISO/IEC 27001 certified.
• Incident management type: Supplier-defined controls
• Incident management approach: EU-Supply process is detailed in Incident Response Plan according Information Security Management System(ISMS) which is ISO/IEC 27001 certified. Aspects:; • Incident management roles and responsibilities.; • Communications strategies and mechanisms for escalation, including contact details.; • The conditions under which third parties are contacted.; • How incidents are to be categorised and prioritised.; • Reporting requirements.; • Process flow from incident notification to final closure.; • How to respond to different incident types.; • Strategy for business continuity post compromise.; • Analysis of legal requirements for reporting compromises & Procedure for personal data protection breach and registration of breach (GDPR)

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  As a part of its commitment to sustainable growth, Mercell decided in 2020 to sign the UN Global Compact and its ten principles on human rights, labour, environment, and anti-corruption. Mercell works to ensure that all employees and anyone acting on behalf of the company perform their activities in an ethical and socially responsible way, and in accordance with the company’s values of Growth, Curiosity, Courage and Trust. These principles are embedded in the company’s Code of Conduct.; ; The parent company Mercell Group raised more than £40m GBP on the Norwegian stock market to become the leading eProcurement provider in Europe. As part of this strategic growth plan, the UK business has been targeted for investment.; ; Headquartered in Oslo, Norway, the company has activities across 28 locations in 13 countries. At the end of 2020, the Group had 456 employees, including near-shore contractors. This was an increase from 199 FTEs at the end of 2019. Organic growth accounted for 30% of the increase and acquisitions for 70%.; ; The employees count 20 different nationalities. The company works to support the objectives of the Gender equality and Discrimination Act to promote equal opportunity and rights. The company is committed to an inclusive work culture, based on diversity, equal employment opportunity and fair treatment of all employees.; ; The company strives to reflect the diversity in the society and among its customers, and maintain a balance in age, gender, and cultural background among its employees. Women made up 42% and men 58% of the workforce at the end of 2020, with the share of women increasing during the year. 65 employees are defined as managers, with personnel responsibilities, of which 36% are women and 64% men.; ; Approximately 34% of the staff is below 35 years, 44% between 36-55, and 11% above 55 years.

  Wellbeing

  Mercell shall be an attractive place to work, and the company has committed to taking action to create and maintain a good and inclusive working environment. The working environment is considered good. The company does not accept any form of harassment or discrimination based on race, colour, religion, gender, sexual orientation, national origin, age, or disability. No cases of harassment were reported or investigated in 2020. Total sick leave for the Norwegian operation was 2.95% in 2020. No occupational illnesses or injuries were reported or investigated in 2020.; ; Every Mercell company and every contractor is required to have a systematic approach to the management of Health, Safety, Security and Environment (HSSE), designed to ensure compliance with law an applicable standard, the wellbeing of its personnel and the protection of the environment.; ; Mercell has operated in compliance with national and regional rules and recommendations with regards to the Covid-19 pandemic. The company has strived to facilitate efficient and healthy home office solutions for the employees and fulfil its responsibilities with regards to social and professional follow-up.; ; To achieve the above, Mercell employees have a performance review every 6 months and a personal development plan is defined together with the help of the employee’s manager.; ; The Mercell UK team is looking into the following options to further contribute to the health and wellbeing of its employees’, suppliers and local communities:; • Set aside a number of hours annually that employees can use to volunteer and support local community projects of their choice; • Regional sponsorship / charitable support to local communities; • Looking at linking in with groups such as Go4Growth or the Federation of Small Businesses.

Pricing

• Price: £4,500 to £39,000 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Free version available for 3 months with full functionality. Setup and implementation costs are chargeable.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.south@mercell.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.