Mercur Solutions (UK) Limited

Mercur Business Control

Mercur is a leading provider of unified Enterprise Performance Management solutions. Founded in 1976 Mercur delivers; Budgeting, Planning, Forecasting, Reporting, Dashboarding and Analysis applications within a single cloud solution designed for; Large Enterprise, Central & Local Govt, SME and NHS. Mercur Business Control creates greater effectiveness and efficiencies for organisations.

Features

• Unified solution for Budgeting, Forecasting, Planning, Reporting & KPI Analysis
• Combine unlimited data sources & size for real time updates
• Unlimited dimensionality and hierarchies for flexible reporting and analysis
• Unlimited users - scale from 1 to 100,000
• Workflow, collaboration, collect direct data entry from employee/budget holder
• Strong matrixed security control of Personal Identifiable Information
• Financial and non financial data combination meets all reporting needs
• Access all reports from any supported browser, mobile or desktop
• Fast ETL and calculation engine for allocations, re-forecast and simulation
• Leverage machine learning and predictive analytics to deliver business insight

Benefits

• Reduce time and cost to complete budgets, forecasts and reporting
• Reduce time and cost to create and run simulations
• Reduce time to create re-forecasts and compare
• Reduce time and cost to publish Management Reports
• Create single version of the truth actual, budget and forecast
• Cost reduction on existing systems and data management
• Consolidate multiple systems and reduce cost and time
• Increase accuracy, build confidence in financial & operational numbers
• Reduce risk in spreadsheets, Google Sheets / Excel
• Reduce time and cost to manage reporting processes

£22.29 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at derek.morrison@mercur.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

959550355622739

Contact

Derek Morrison
07388906833
derek.morrison@mercur.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: Our system has no known constraints. All clients can access Mercur Business Control from a modern browser.
• System requirements: Only a modern browser environment to access Mercur Business Control

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide email support and use Jira for clients tracking.; ; Clients can phone, email or post a support ticket directly. The client can then track the ticket via our web application.; ; Our standard support times are 08.00 - 18.00 Monday - Friday; ; extended support times are available by arrangement
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Connected via our website with Hubspot; ; Text chat only - support and log tickets
• Web chat accessibility testing: We have implemented and delivered webchat via Hubspot within our website
• Onsite support: Yes, at extra cost
• Support levels: Standard support in relation to our cloud software SLA is included in the annual cost of the software agreement.; ; Additional support - onsite is available at standard daily rate £950 per day or as negotiated, dependant on number of days required.; ; Out of hours telephone support during critical periods; month -end, year-end, planning period, forecast period, and budget period. This is a bespoke service by individual client and is not price listed.; ; Additional consultancy support is available at standard daily rate of £950.00 as negotiated dependant on number of days.; ; As the software is a standard deployment no cloud support engineer is required and the technical account management is included by way of named/allocated consultant.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Full user training is available as part of the implementation process. ; ; Web training, product video and webinars are available; ; Standard user documentation is available. ; ; Customised documentation to support individual applications are made available as part of the scope of implementation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: There are multiple routes;; ; Flat File (csv); JDBC/SQL; XML; JSON; Excel extract
• End-of-contract process: Standard contractual terms allow the client to extract their data at the contract end date. Mercur will retain any data required in line with GDPR and other legal requirements. ; ; Other services may be available in terms of documentation or data model requirements. This can be inked into a contract as necessary and dependant on client requirements.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Users may user mobile or tablet devices to access Mercur Business Control. The application provides a touch enabled interface on these devices. There are no functional differences between a desktop or mobile/tablet environment.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: For database queries using our provided Excel plugin. The API is optional for the individual customer.
• API documentation: Yes
• API documentation formats:
  • HTML
  • ODF
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: There are a number of customer customisation available be that branding, style of reports, style of dashboards, drill functions, workflows. ; ; Code can be customised but we caution clients in customising code as we believe this is not necessary.

Scaling

• Independence of resources: Mercur front-end is a multi tenancy solution which means it scales to thousands of users and provides maximum experience through load balancing. 'Scale up - scale out'; ; Each client has a separate back-end database so other client demand will not degrade performance.; ; Mercur live monitoring ensures scale up/scale out in terms of memory required to meet performance

Analytics

• Service usage metrics: Yes
• Metrics types: System usage statistics by individual user; Memory usage ; Number of users; Number of sessions; Database size; System Availability; System Uptime; Data volume import; Data volume export
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Mercur provides standard functionality for users,subject to administration, rights to automatically export data to a number of different formats. Including standard and customised reports.; ; e.g. excel, PDF, image, txt etc
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • Text file
  • PDF
  • Excel
  • Image
  • SIE
  • XML
  • PPT
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats:
  • SIE
  • XML
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: All communication between the web browser and web server is encrypted with TLS. Mercur uses 256-bit encryption and 2048-bit public keys with RSA.
• Data protection within supplier network: Other
• Other protection within supplier network: Each server separated and segregated which means only data from a single customer is located on each server. Each server has two-factor authentication requirement; Data at Rest; The data is encrypted with AES256 for server-side data and any local caches.; Data in Motion: Client; Data communication is encrypted both externally and internally with AES128; Data in Motion: Web Client; All communication between the web browser and web server is encrypted with TLS. Mercur uses 256-bit encryption and 2048-bit public keys with RSA.; Data Leak Prevention; Each server is monitored for abnormal behaviour and has a next generation signature-less antivirus.

Availability and resilience

• Guaranteed availability: Mercur Solutions will use; commercially reasonable; efforts to make the Mercur; Cloud Service available for a; Monthly Uptime Percentage of; at least 99.90%, in each monthly billing cycle.; ; We offer credits on unavailability of the service during client working hours as per contract.
• Approach to resilience: The Mercur Business Continuity Plan is established according to ISO22301.. Supported by a fully resilient network set up on multiple Data Centres with an SLA of 99.99%.; All services are dual homed to provide geographic resilience for business continuity and disaster recovery scenarios. Risk assessments are carried out for any systems that are not resilient. ISO27001 covers back-up policy with systems brought back up within a fixed amount of time dependent on Maximum Tolerable Period of Disruption (MTPD) and Recovery Time Objective (RTO).; Critical systems are all designed and implemented in a resilient fashion.; Datacentre resilience is provided via dual data centres. Additional information is available on request.
• Outage reporting: The status of the cloud service you can find here: https://status.mercur.com/ all updates, incidents and maintenances are published there.; ; Through this website you can can subscribe in order to get updates via: ; ; Email alerts; Text messages ; Atom Feed or RSS Feed

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: For each user, a list is added with the login methods. ; ; Internal and External Computers; Automatic login with sspi-sso requires the user reside on the domain server or one linked with domain of the server. If you travel and do not have access to the domain (not able to or do not want to use a VPN), it's useful to have an alternate login mechanism available to all or a few users. The solution is to combine sspi-sso with win-server.
• Access restrictions in management interfaces and support channels: We use IP-blocking to restrict access to admin interfaces and Mercur is entirely flexible in terms of security. Therefore certain interfaces can be locked for certain user types etc.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyds Register QA Ltd
• ISO/IEC 27001 accreditation date: 8/5/21
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
• Information security policies and processes: All information security policies are dictated by our ISO27001 governance held by our Cloud Service Provider. All employees follow ISO27001 have a “Company Essentials” folder on their desktop linking directly to the guidance and policies themselves. These policies include:; ; Acceptable Use Policy, Access Control Policy, Anti-Bribery Policy, Backup Policy, Clear Desk and Screen Policy, Conflict of Interest Policy, Control of Documents, Control of Records Policy, Corrective and Preventative Action Policy, Data Classification and Confidential Data Policy, Email Policy, Encryption Policy, Equipment Reuse and Disposal Policy, Group Retention Criteria Policy, Guest Access Policy, Information Security Incident Reporting Policy, Information Security Policy Statement, Internal Information Security Management System Policy, ISO 27001 Awareness Policy, Mobile Device Policy, Network Security Policy, Outsourcing Policy, Password Policy, Remote Access Policy, Risk Assessment Procedure, Mercur Information Security Awareness Policy, Secure Development Policy, Social Media Policy, VPN Policy, Wireless Access Policy

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes to components of the service are tracked and managed via the same systems that are used to track changes to customer devices. All access is logged by individual user and time stamped. All device configuration files are checked on a daily basis for any changes - these changes are then automatically added to the Network Configuration Management system change database.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Threats are assessed under the guidance of the Internal Information Security Management System Audit Policy. Internal audits of all Information Security Management System policies, procedures and controls are carried out at least once per annum in accordance with the Information Security Management System Internal Audit Schedule. Certain policies, procedures and controls may require more regular review according to importance or history of problems.; Our patch management policy is;; Critical - 1 working day; Important - 3 working days; Moderate - 28 calendar days; Low - 28 calendar days; Threat Info - Ms, Sophos, Digital Shadows - as examples
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Mercur hopsting solutions implement DualMalware Intrusion Detection and Prevention Services. For the purpose of this policy an information security event or incident is defined as: ; ''An identified occurrence or weakness indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation which may be security relevant.'' ; All responses are responded to within 30 minutes by default. Special measures/policies exist for critical threats, details of which are available on request.
• Incident management type: Supplier-defined controls
• Incident management approach: Mercur has a documented Incident Management Process which is updated annually. This is available on request. ; Users will be notified proactively within 30 minutes of any incident that is affecting the service. Users can also log incidents via phone, web or email. All incidents are logged and reported . Availability reporting shows when, and for how long a device has been down. Live incident reporting provides analysis of incident category and resolution codes. This helps customers identify incident trends. link here : https://status.mercur.com/

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Mercur Solutions is fully cognisant of the challenge's faced in the battle to reduce our carbon footprint. Whilst only a small organisation we have policies on supply, waste & travel which has a positive impact in reducing our footprint. ; ; Though the implementation of Mercur Business Control we believe that organisations can reduce their footprint through better use of technology to reduce travel and promote home working if required.
• Covid-19 recovery:

  Covid-19 recovery

  Mercur's support for Covid recovery is through the deployment of Mercur Business Control. Organisations have struggle with collaboration and decision making during the pandemic due to moribund technology. As organisations emerge from the pandemic there is a drive to reduce manual working and risks associated with excel and create collaborative decision making through a technology that provides organisations with more granular information to base decisions on.; The implementation of Mercur will in line with Action Note PPN 06/20;; ; Support organisations and businesses to manage and recover from the; impacts of COVID-19, including where new ways of working are needed to; deliver services.; ; - Improve workplace conditions that support the COVID-19 recovery effort; including effective social distancing, remote working, and sustainable travel; solutions.
• Tackling economic inequality:

  Tackling economic inequality

  Mercur's support for Covid recovery is through the deployment of Mercur Business Control. Organisations have struggle with collaboration and decision making during the pandemic due moribund technology. As organisations emerge from the pandemic there is a drive to reduce manual working and risks associated with excel and create collaborative decision making through a technology that provides organisations with more granular information to base decisions on. The implementation of Mercur will in line with Action Note PPN 06/20;; ; create opportunities for entrepreneurship and help new, small; organisations to grow, supporting economic growth and business creation.; - Influence staff, suppliers, customers and communities through the delivery of the contract to support employment and skills opportunities in ; growth sectors

Pricing

• Price: £22.29 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: As part of our engagement process we will agree a specific use case where we will demonstrate the use case with client data within the Mercur Application to prove the ability to deliver free of charge
• Link to free trial: https://www.mercur.com/Web-Demo

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at derek.morrison@mercur.com. Tell them what format you need. It will help if you say what assistive technology you use.