Basware Holdings Limited

Basware AP Protect

AP Protect is a P2P data analysis solution providing a continuous and preventative protection against duplicate payments, invoicing errors, and supplier fraud.

It includes over 200 reports to drive process improvements and reduce risk in the P2P environment, using machine learning and AI to protect working capital.

Features

• Duplicate invoice analysis of 100% of transactions prior to payment
• Root cause analysis of duplicate and erroneous transactions
• Reports to highlight working capital cash recovery opportunities
• Workflow management tool to investigate, assess and resolve risk transactions
• Master Vendor File duplicate record, missing data and usage analysis
• Payment Term reporting to protect capital
• Fraud safeguarding at vendor and transactional level
• Dashboards and reports for management and operational purposes
• Accounts Payable performance reporting
• Detailed spend analysis by vendor, business unit or organisational structure

Benefits

• Prevents overpayments and payment errors prior to payment
• Protects funds and capital within the organisation.
• Provides learnings from results of transactional reviews, improve future efficiencies
• Visibility across multiple ERP/P-Card systems, isolate sources of errors
• Safeguards the organisation from potential fraudulent activity
• Reduces ongoing audit and recovery costs
• Vendor Master File optimisation, cleansing data and improving operational efficiencies
• Business insights, provides recommendations to increase efficiency and measure change
• Provides Dashboards to visualise areas of innovation opportunity
• Delivers fast purchase order spend insight and analysis

£0.11 to £16.00 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info.uk@basware.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

936109235276718

Contact

Paul Newman
0845 603 2885
info.uk@basware.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Basware specialises in automating AP processes for organisations. Our solutions can coexist, compliment or can operate in isolation, depending on the set up at a specific customer site. Eg. some of our customers only avail of our Delve product and have another incumbent solution in place to automate their invoices.
• Cloud deployment model: Public cloud
• Service constraints: Basware uses a continuous development methodology, with an automated delivery pipeline, to continuously release small updates with low associated risk. There are two different update types: monthly updates and maintenance updates. The monthly update is used to deliver the vast majority of new features, enhancements, and bug fixes and are typically applied in maintenance periods, maintenance updates are applied on a on demand basis and users are normally unaware that an update has is being applied. Typically more than two-thirds of updates are carried out without service downtime.
• System requirements:
  • Accessed via internet or a direct point to point connection
  • Supports current browser versions of the major browsers

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: "Depending on severity and SLA.; ; Severity Class Target Response ; Time Critical Within 1 working hour ; High Within 8 Working Hours ; Medium Within 16 Working Hours ; Low Within 40 Working Hour; ; For a committed response and Resolution Time, Basware offers enhanced support SLA's (silver and gold) as described in the related SLAs"
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We provide a single level of support across our products and services, which includes a helpdesk (in solution contact), support email address and helpdesk contact number. This is free of charge to our customers and included in the subscription cost. Within the solution is a helpdesk function with direct access to the customer / technical support team. This support is available to assist in both technical issues and user queries. Customers will also be issued with a technical account manager to support this function.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Full user training is delivered as part of the implementation.; ; The training consists of;; ; • Multiple remote learning sessions delivered by webinar; • 3 days on-site training in small groups or on a 1-2-1 basis at go-live; • Access to user guide documentation; • Help function in the software on all modules; • Refresher and new starter training on-site or online as required
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Reports and analysis data can be extracted directly from the solution at any point in time. At the end of the term the solution and the data within it will remain available to the customer for a period of 6 months. No data is lost as all original data remains in the customer ERP.
• End-of-contract process: At the end of the contract the company shall have the option to renew the agreement for one more year at the same annual fee by sending written confirmation within 15 days of the agreement expiration. If the agreement is not renewed the customer will have access to the solution and the data within it for 6 months.; ; Included in the cost is;; ; Implementation; Maintenance; Hosting; Training; Customised Reports; ; There are no additional costs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: It is possible to create customised reports from the data held within the solution, specific to the user / organisation. Within the solution is an Ad-Hoc reporting section. It is here that any individually created reports are viewed. All customised reports are created by our own IT group. Requests for such customisation is made via the users account manager.

Scaling

• Independence of resources: Each client data is in their own tenant containing their data versus a multi-tenant environment. This ensures each individual client isn’t affected by the data or usage of another client.

Analytics

• Service usage metrics: Yes
• Metrics types: Operational Metrics - AP KPI – Overview dashboard provides information on 4 strategic key performance indicators (KPI):; - E-invoice Rate – indicates the % of all invoices which are electronic; - Spend under control – invoices based on PO or payment plan (Contract) Automatically matched; - Paid on time – % of invoices which are paid on or before the designated due date; - Performance trend - The dashboard also has the trend of each specific strategic KPI as well as the breakdown of each strategic KPI in bar charts
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users have the ability to export any of the reports in AP Protect into Microsoft Excel.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Files are sent via a PUSH or PULL SFTP process.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Basware consistently operates the Basware service to meet a target level of 99.9% of time during a combination of core and non-core hours (97.5% during the first month of service or following a major release). Further information included in Service Definition document. This is underpinned by our Service Level Agreements which provide for Uptime performance of 99%/99.5%.
• Approach to resilience: Available on request
• Outage reporting: Outages would be reported via email alerts. Scheduled Maintenance Windows Scheduled maintenance windows are required to allow for security updates, application upgrades and patching, addition of new hardware, etc. Basware reserves the right to specify the times of scheduled maintenance windows which will be targeted to be outside the hosting location's typical business working hours in order to keep the service interruption time for endusers close to zero. The scheduled maintenance windows may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service. For SaaS Three Customers only the notice period is extended to 10 days. Basware Analytics maintenance may take place with 5 days notice. A maximum of two maintenance windows will be used in any month. During the maintenance window users will be informed of the unavailability of the service. Unscheduled Maintenance Windows: If unscheduled maintenance windows are required then 48 hours notice will be provided. If emergency repairs or updates are required, for example to apply security patches, then if the urgency is low enough 24 hours notice will be provided.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Basware has documented logical access controls, for requesting and granting access rights to production systems and applications. Access is on a role-based model, approved by management. Access rights are removed from operating systems and applications immediately after termination/transfer of employment and specific notification from HR or supervisors. Access profiles defining roles based on user job functions are documented and used to restrict access. These follow the principle of least privilege. Root, Administrator and other privileged operating system level access to production system is restricted to authorised individuals. Operating system and applications are configured to enforce minimum requirements for password quality/expiration.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: KPMG
• ISO/IEC 27001 accreditation date: 14/12/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: ISAE 3402

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Basware Information Security Policy describes the practices through which Basware assures its existing and future customers, partners and employees that their information is securely handled, stored and processed. The Information Security Policy target is to comply with the ISO 27001 standards. The minimum target is to comply at all times with the local legal requirements. Within the organisation, the Chief Financial Officer is responsible for the main policies concerning security, for its strategic steering and monitoring, and for the allocation of sufficient resources. In addition, Security Steering Group coordinates the overall security. Security Steering Group is chaired by the CFO.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The Basware solution has been built to be managed by our customers and configuration changes would typically be carried out by the customer organisation. Basware's software as a service offering does not work on the approach that our customers are buying services from us for configuration changes. If Basware is required to make changes then a formal and documented change management process must be followed. Configuration changes are documented as change request tickets.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Systems are scanned for vulnerabilities at regular intervals. Customer production systems are scanned weekly. Customer and internal IT production systems are scanned internally with privileged system credentials for: hard-to-find vulnerabilities and configuration errors, installed software patches, and system configuration compliance against applicable benchmark standards. Risks are recorded in a risk register. The risk assessment includes business impact assessment, threat assessment, and vulnerability assessment. Risk management includes risk mitigation actions, risk avoidance, risk transfer, and risk acceptance in full or in part. Risk mitigation may include preventive, reactive, and corrective actions. Reactive and corrective actions are triggered by risk realisation.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: If production systems and business applications generate security events, for example both successful and failed instances of user logon and logoff, changes in privileges, such as user and access management, software changes and removal, system and application configuration changes, and significant system events. Create, read, update, and delete access on customer data is monitored. Exceptional access (outside of standard data flow) generates security events. Security events are transferred to a secure monitoring system as soon as events are generated and buffered locally to prevent event loss in case of break in communications with the secure monitoring system.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Production environments are monitored for incidents and failures and incident tickets are opened for anomalies. Monitoring includes internal and external performance. Production environment activity is monitored by reviewing most common system and application log events in weekly meetings. Event logs are collected and stored. A service level agreement (SLA) for service availability and performance is in place. Performance against the SLA is monitored, measured and reported to customers on a monthly basis including statistics on incident management.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are committed to reducing our environmental impact, particularly our carbon footprint, through our solutions which we innovate for customers and our day-to-day business operations. Reducing our carbon footprint through our business operations is accomplished through a two-pronged strategy centered on creating sustainable offices and reducing emissions from business travel and commuting. Whilst we recognize our journey towards achieving net zero emissions is just beginning, we are pleased to share that we are continuing to make promising progress.

  Equal opportunity

  Our goal is to empower all employees to bring their authentic selves to work, knowing that their unique perspectives and experiences contribute to our collective growth. Together, we strive to build a culture that embraces diversity, promotes equity, and celebrates the power of inclusion. Our Employee Relations Policy outlines our commitment to promoting DEI&B within the organization, resulting in a respectful and productive work environment. Our Code of Conduct emphasizes the company’s commitment to diversity by recognizing and respecting all individuals regardless of race, sex, religion, political beliefs, disability, sexual orientation, gender identity, social status, age, or any other legally protected status.

  Wellbeing

  Our employees’ health and happiness have an impact on their engagement and productivity, as well as the company’s success. We are committed to promoting our employees’ wellness through a comprehensive set of tools (listed below) that empower individuals, foster community, and promote overall wellbeing. By investing in these, we hope to create and maintain a healthy work environment in which employees can thrive professionally and personally. We want to contribute to a sustainable and socially responsible future by aligning with ESG principles and having a positive impact on our workforce and beyond, using strategic pillars, clear objectives, and a robust set of tools.

Pricing

• Price: £0.11 to £16.00 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info.uk@basware.com. Tell them what format you need. It will help if you say what assistive technology you use.