Proposal:
BravoSolution Service Definition for SaaS Supply Management
Services
For: GPS
Provided Richard Hogg
by:
r.hogg@bravosolution.com
Tel:
0207 796 4170
Mob:
07875 316221
Commercially Confidential
PAGE 1
BravoSolution (and subcontractor QINETIQ Commerce Decisions Limited)
Supply Management Excellence delivered as a Service
The D&B DUNS® Number for BravoSolution UK Limited: 345297134
The D&B DUNS® Number for subcontractor QINETIQ COMMERCE DECISIONS LTD is: 221381762
The proposed solution set is delivered as a combination of Software As A Service and Specialist
Cloud Services, from BravoSolution and subcontractor QINETIQ Commerce Decisions Limited.
The solution set is focussed on transformational procurement and supply management technologies,
including, but not limited to:
Programme Management, Spend Analysis, eSourcing, eAuctions, eEvaluation, Contract
Management, Supplier and Performance Management, Collaborative expressive tendering and
optimisation based analysis, coupled with specialist training and consulting support.
The combined solution set incorporates over 350 man-years of research & development entirely
focused on SaaS based procurement lifecycle automation. The products are functionally and
architecturally mature having over 10-years track record of deployment for private and public sector
clients worldwide. Our solution’s current implementation track record is as follows:


Over 400 active customers worldwide deploying the solution to support a combined portfolio of
$500 Billion in annual spend
Software as a Service implementation across 16 industry verticals and 26 countries
Our technology incorporates significant capabilities resulting from such vast context of deployment
ensuring that the product presents all necessary characteristics for a successful deployment. Based
on our experience one of the key market requirements for supply management software package is
its ability to adapt to each customer’s operating model. Over the years our product has evolved to
efficiently and effectively address such demands for flexibility and adaptability. As outlined in further
detail throughout our proposal some of the key features of our solutions are:







Fully Software as a Service, web-based self service functionality
Wide array of application level customisations
Customisable multi-level product/service category scheme for supplier pre-qualification and
spend classification
Seamless integration among all modules
Customisable workflows and templates
Customisable dashboard, Spend and KPI reporting
Integration toolkit for cost effective interoperability with existing business systems
Commercially Confidential
PAGE 2
BravoSolution offers a comprehensive software suite covering process automation needs for the full
life-cycle of Strategic Sourcing for organisations in the private and public sector as follows:
Such capabilities are offered under a single, fully integrated and customisable platform available ondemand through our Software as a Service (SaaS) delivery model, offering flexibility, value and rapid
time to market to our clients worldwide. We have been successfully delivering the SaaS hosted
capability across the UK Public Sector since 2004. The service is accredited by GPS to Impact Level 3.
The proposed service was part of the OGCBuying Solutions eSourcing managed service/framework
from 2004 until its expiry in 2011.
A Secure, branded customer Portal delivered as Software as a Service
The portal may be branded in line with design guidance, corporate styles containing custom policies,
user rights, supplier agreements, category hierarchy, password policy and additional information
fields which can be configured as per requirements. Portal security, availability and reliability will be
to the highest standards and independently accredited (including HMG Impact Level 3 and
ISO27001) giving peace of mind for both buyer and supplier users.
Integrated Spend Analysis module delivered as Software as a Service
Our Spend Analysis tool is a sophisticated data management toolset that drives a deep
understanding of supplier spend (and other data, such as risk etc.) across multiple reporting
Commercially Confidential
PAGE 3
dimensions (Supplier, time, geography, category business unit etc. etc.), allowing quick and easy
identification of savings opportunities, such as:






Volume/demand aggregation
On versus Off Contract spend and compliance to terms
Supplier rationalisation
Supplier risk analysis/management
Auction opportunity savings
Initiative reporting (SME agenda, Minority, geographic etc.)
Key functionality includes:



Tools to effectively extract, cleanse & enrich, normalise & classify supplier data
Sophisticated reporting analysis console, including;
o Intuitive user configurable dashboard
o 60+ out of the box detailed management reports
o Analysis interface with sophisticated multi-dimensional visual reports (graphical and list)
o Ad-hoc report build and sharing functionality
o Drill down, across, and through options to interrogate date and perform ‘chain of
thought’ analysis.
Web based exception management
Integrated Buyer/Supplier Dashboard delivered as Software as a Service
Summarises key activities in a quick, graphical and easy to use custom dashboard, such as:







Custom widgets and view for Buyer and Supplier users (can optionally be pre-configured at
organisation level if required)
Status of current projects and components (RFXs, Auctions, Contracts etc.)
Outstanding/late process actions
Graphical, matrix and list widgets that link into list views and filters of underlying information
Received secure messages
Calendar activities, deadlines etc.
Quick & custom links
Programme / Process manager module delivered as Software as a Service
Allows custom best practice procurement processes (including: user guides, collaboration, templates
and management approvals etc.) to be mapped into the sourcing portal, to guide users through an
end to end process and pro-actively drive compliance to corporate/procurement policies and
initiatives, improve planning and management information (including driving systemic increased use
of approved processes and procurement tools such as reverse auctions, total cost of ownership,
collaborative procurement and category management).
Commercially Confidential
PAGE 4
eRFX/Tendering module delivered as Software as a Service
For managing the secure: issue/return/evaluation of best practice RFX/tender processes (PQQ, ITT,
RFI, RFP etc.). Functionality also includes:








Secure supplier self registration and acceptance of terms and conditions
Collaboration tools – for stakeholder and subject matter expert collaboration
Aggregation tools – for collaborative aggregation of demand/volume for maximising buying
power and optimising savings
Web-questionnaires (forms) and auto-scoring for quick and effective evaluation
Advanced Scenario and Total Cost of Ownership analysis
Templates for improved productivity
Reporting, audit trail and secure opening processes to ensure probity
Fully integrated with the Programme manager module to drive end to end best practice
processes
Auction Module delivered as Software as a Service
Allows RFXs etc. to be converted into dynamic auction events with multiple configuration options
(forward/reverse, price focus/value focus, multi item/multi-lot etc), integrated into the Process/RFX
modules for ease of use and productivity.
This allows auction events to be run on a self service basis if required, although a common approach
is a managed/part managed event where an experienced Auction consultant works closely with the
Buyer/Category Manager to maximise savings potential and minimise risk. Opportunity assessment
is also offered to identify auctionable categories/contracts and the savings potential versus risk
profile to help drive the use of auctions pro-actively (also the Programme/Process Manager module
can include auction reviews/processes as part of the standard sourcing process and cascaded to the
user community).
Vendor Management/Profiling module delivered as Software as a Service
Allows a custom registration process to be created to capture a vendors profile (e.g. categories of
interest, capabilities, H&S, finance, SME/minority data, corporate social responsibility etc. etc.) this
can then be used to:



Identify suppliers with appropriate characteristics (category, capabilities, turnover, geography
etc.) and invite them directly into a competitive tender.
Supplier profile information can then auto-populate RFX responses saving them time in
responding, meeting Glover report recommendations, the SME agenda and potentially
increasing competition
Custom supplier profile information can also be incorporated into a Spend Analysis supplier data
enrichment programme capturing custom information that is accurate, comprehensive for all
contracted suppliers without the cost and missing data often associated with 3rd party providers.
Commercially Confidential
PAGE 5
Contract Management delivered as Software as a Service
The Contract management module allows centralised secure repository of contracts, and related
documentation, functionality includes;









Integration with sourcing modules, including data flows from sourcing (and to ERP if required)
e.g. tender information, documents, items, pricing KPIs etc.
Mass import existing contract meta-data
Customised additional question fields
Integrated Clause Library & MCD management
Supplier MCD & price negotiation workflows
Secure Contract document storage
Customised templates and contract types
Integrated Scorecards/KPIs, reporting and MI
Automated expiry alerting
Vendor Performance Management delivered as Software as a Service
The Vendor Performance/ Relationship Management module provides a framework for analyzing
and improving supplier performance through participation analysis and performance measurement.
Functionality includes:







Dashboard reporting, lists and graphical analysis
Enterprise scorecards
Contract scorecards
ERP integration
Supplier comparison views
Supplier participation analysis
Integrated into Vendor Management Profiles
AWARD eEvaluation module delivered as Software as a Service
BravoSolution delivers the proven eEvaluation service via its sub-contractor QinetiQ Commerce
Decisions Limited (QCDL). QCDL also provides, best practice knowledge and expert services to assist
sourcing projects through-life; from preparation, qualification, evaluation, negotiation to continuous
supplier performance review and contract compliance.
eEvaluation provides a central web-based information and process infrastructure enabling project
teams to carry out evaluations and reviews wherever they are located and without the need for any
installation of additional software. This allows users to evaluate tender documents, make major
contract decisions and monitor subsequent performance collaboratively, efficiently and effectively.
It is proven to significantly increase contract value and reduce risk and has been used in projects
totalling over £60 billion to date. Other evaluation/review activities as diverse as options analysis,
Information Assurance Maturity Modelling and bid review are also supported.
We have been successfully delivering the SaaS hosted eEvaluation capability across the Public Sector
since 2003. The service is accredited to Impact Level 3 (IL3) and carries full RMADS. In addition,
eEvaluation was part of the OGC/Buying Solutions eSourcing managed service/framework from 2004
until its expiry in 2011. Since its launch in 2001, the eEvaluation service has achieved an enviable
reputation for reliability, responsiveness, ease of use, resiliency and excellent customer service.
Commercially Confidential
PAGE 6
eEvaluation has been used to support strategic procurements in a range of sectors, including
utilities, transport, central / regional / local government, healthcare, aerospace and defence,
covering a broad range of activities including the provision of schools, hospitals, transport and
defence systems
eEvaluation is the most widely adopted eEvaluation tool used by the UK Government Departments,
many Agencies and various local and regional organisations. Customers include Buying Solutions
(now GPS), the Department for Transport, the NHS, Department for Work & Pensions, Olympic
Delivery Authority, Ministry of Defence, Crossrail, Transport for London, BBC and the Foreign &
Commonwealth Office.
eEvaluation is used to support various business processes:







Tender Evaluation
Document management and authoring
Bid management
Option analysis/appraisal
Project performance review
Supplier review
Information Assurance management
Programme of blended learning, education and consulting delivered as
specialist cloud services
To support the deployment to the buyer community a (CPD accredited) learning & education
programme will be tailored to meet the teams requirements to build competence and confidence in
the use of the toolkits, embed the change successfully and realise the business benefits/ROI quickly,
including;







Basic training (classroom including workbooks and materials)
Intermediate training (classroom including workbooks and materials)
Advanced (team champion, user administration) training
Online top-up training, competence testing & certification
New version ‘differences’ training and on-demand ongoing top-up sessions
Specialist consulting
Best practice sharing and collaborative web forum for the buyer community (BravoSolution
Education Network – or BEN)
Buyer and supplier adoption and ongoing support programme delivered as
specialist cloud services
Ongoing support is as important as the training conducted during deployment, and typically
includes:


Professional helpdesk service (including call logging, call recording, out of hours recorded help
etc
Initial hands-on project support and ongoing on-demand training and project consultancy as
required by local BravoSolution professionals.
Commercially Confidential
PAGE 7


Best practice sharing and collaboration web forum for the Community (BravoSolution Education
Network – or BEN)
New version ‘differences’ training and on-demand ongoing top-up sessions
Pricing
Various licensing and pricing models are available to match the varying customer scenarios. These
cater for organisational adoption (across a procurement department for example), large programme
adoption or individual project usage. Further options exist dependent on the customer preferences
and constraints. Standard pricing is shown below. Other options are available based on different
configurations, such as multi-tenant, shared portals – Bravo/QCDL account managers /
administrators will recommend the best approach for particular customer adoption.
Pricing banding below is for annual user licences, provided as SaaS, payment annually in advance.
Minimum 5 users for configured customer solution, except Spend Analysis where Minimum 10 users
for configured customer solution.
eSourcing Configuration
Reference
No of users
Price for period of use for one year
(excluding VAT_)
ES1
Up to 5
£16,320
ES2
Up to 10
£26,640
ES3
Up to 20
£47,280
ES4
Up to 50
£66,000
ES5
Additional Band of 10
£13,200
Programme Management
Configuration Reference
No of users
Price for period of use for one year
(excluding VAT_)
PM1
Up to 5
£4,301
PM2
Up to 10
£8,603
PM3
Up to 20
£17,206
PM4
Up to 50
£43,014
PM5
Additional Band of 10
£8,603
Vendor / Performance
Management Configuration
Reference
No of users
Price for period of use for one year
(excluding VAT_)
VPM1
Up to 5
£10,320
Commercially Confidential
PAGE 8
VPM2
Up to 10
£20,640
VPM3
Up to 20
£41,280
VPM4
Up to 50
£60,000
VPM5
Additional Band of 10
£12,000
Contract Management
Configuration Reference
No of users
Price for period of use for one year
(excluding VAT_)
CM1
Up to 5
£10,320
CM2
Up to 10
£20,640
CM3
Up to 20
£41,280
CM4
Up to 50
£60,000
CM5
Additional Band of 10
£12,000
Spend Analysis
Configuration Reference
No of users
Price for period of use for one year
(excluding VAT_)
SA1
Up to 10
£22,500
SA2
Up to 20
£35,000
SA3
Up to 50
£62,500
SA4
Additional Band of 10
£12,500
eEvaluation Configuration
Reference
No of users
Price for period of use for one year
(excluding VAT_)
EP1
Up to 5
£12,600
EP2
Up to 10
£18,910
EP3
Up to 20
£31,480
EP4
Up to 50
£62,950
EP5
Up to 100
£118,980
EP6
Additional Band of 10
£11,898
Minimum 5 users for configured customer solution, except Spend Analysis where Minimum 10 users
for configured customer solution. Alternative innovative pricing proposals are available based on
Commercially Confidential
PAGE 9
multi-year options/commitment. Licences may be transferred between users during the year but are
subject to a minimum release period during which they cannot be transferred to a new user.
Consulting, training and support
Services Configuration
Reference
Product
Price (excluding VAT)
ES1
Technical Support Analyst
per day (See also SFIA
document).
£650
ES2
Technical Support
Consultant per day (See also
SFIA document).
£950
ES3
Technical Support Principal
per day (See also SFIA
document).
£1280
ES4
Technical Support Director
per day (See also SFIA
document).
£1387
ES5
1-day super-user course
£2,880 including training materials
ES6
1-day standard course
£2,500 including training materials
ES7
Training day
£2,500 including training materials
ES8
Sample bundled Services
Package for adoption of
single module (8 days
implementation support
plus super user and standard
day training).
£12,600 including training materials
ES9
eAuction managed event
Market Operations Centre
support (Up to 10 suppliers,
dummy event support, live
event support and reporting,
excluding consulting)
£3,000
Commercially Confidential
PAGE 10
Training and support options quoted above are for payment in advance. Please refer to
BravoSolution for alternative payment models (eg. monthly in arrears, combination services etc).
Service Management and Service Levels
The SaaS web-based applications are delivered through a tried and tested technological
infrastructure that has proven to be highly stable, scalable and secure. The solutions are centrally
hosted and managed providing the following benefits:




No need for risky, costly infrastructure setup and roll-out which often result in delays and
technical incompatibilities
Scalability due to optimal dimensioning of all subsystems and components (storage, webservers, bandwidth etc.) within the service delivery architecture throughout the life of the
project
Increased overall security of infrastructure and procedures since all potential security threats are
constantly monitored and preventive/corrective action taken accordingly.
This innovative method of delivery of software applications is commonly referred to as
“Software as a Service” (SaaS) deployment.
Customers choosing our SaaS eSourcing solution do not require to invest any resources in additional
HW/SW or IT staff to install, run, mange or upgrade the software solution. Under this model we are
responsible for the following activities in accordance to strict contractual service levels:










System setup and configuration
Hosting (HW and connectivity)
Custom strings/messaging
System maintenance
All base SW upgrades
Nightly data backup
Usage logs
System performance monitoring
Business continuity and disaster recovery (tested annually in accordance to BS25999)
Security (all relevant security protocols with yearly third-party penetration testing and security
accreditation)
We have one of the most advanced multi-tenant application delivery capabilities. The organization is
in a position to leverage the true benefits of SaaS while providing the highest standards of service in
terms of security, availability and performance required by the most demanding customers in the
market.
There are no technical capacity constraints on the use of computing resources. Technical
infrastructure envisioned for the project provides all necessary technical resources to adequately
address the Customer requirements for global deployment of the solution.
Commercially Confidential
PAGE 11
The table below outlines some of the key characteristics of our Software as a Service (SaaS) offering
Storage Limitations
User file upload constraints
System availability









Set by Customer
99% (minimum monthly measure – excludes planned maintenance
window)
System response time
Less than 5 seconds in 95% of typical use cases (ref direct connection
to platform – excludes public network or client related lag)
Back-up and recovery
Included
Encryption
SSL 128
Maintenance/Patches/Upgrades

None
Conducted during weekends only – min 2 week notification
The service is administered by BravoSolution /QinetiQ Commerce Decisions staff, all of whom
carry SC clearance. Management includes setting up new customers and – where requested –
managing the user accounts and password resets. It is possible for customers to self serve once
they have been configured for access.
Customers have access to a Help Desk that operates 8am to 6pm Monday to Friday excluding UK
public holidays. We offer telephone support backed up by a dedicated support email address.
The service operates in a Tier 4 data centre with 99.995% uptime Service Level Agreement. See
Financial Recompense below. We have never failed to achieve these figures.
The software is updated on average twice per year. For this and any other maintenance work,
customers receive a minimum of two week’s notice and all work is undertaken during weekends
in order to ensure minimal disruption to the service.
Typical system downtime for planned maintenance is maximum 8 hours.
In the event of a major change to the service, a planned full weekend shutdown will be
scheduled. In this instance, customers will receive at least 6 week’s notice Please note that
such an event is highly unlikely.
Software changes are designed and planned in consultation with our customers and services
teams via account manager interaction and via customer user groups.
Our policy with software updates is to ensure there is no impact to the customer’s experience,
nor degradation of the service when an upgrade is applied. All new features improvements are
built to be additive and customers can choose to start using them at a time of their choosing.
A release note is issued to all customers outlining the additions and changes to the software at
least 2 weeks prior to rollout
In the event of a release with significant new functionality we will run awareness programmes
and training sessions well in advance of the release date. Customers are informed of proposed
new functionality upgrades through official product management communications, user forums
and user groups.
Commercially Confidential
PAGE 12



The service is monitored by in-house and third party monitoring software that sends
administrators email and SMS text alerts of issues. These include any failure or inability to
connect to the service and performance degradation.
All updates to the service infrastructure are tested in our DR site prior to live rollout and
subject to robust and rigorous QA processes aligned and certified to best-in-class ITIL v5, ISO
9001 / ISO 27001 methodologies.
All software updates are fully tested using an extensive set of automated, manual and
performance tests to ensure that there is no degradation in customer experience.
Financial Recompense
Unless otherwise agreed, standard terms and conditions apply. See attached.
Information Assurance





BravoSolution is an ISO9001 accredited organisation for the delivery of web-enabled supply
management solutions through the Software as A Service methodology. The services is
accredited to ISO 27001 and CESG Impact Level 3 (IL3). It can carry information up to and
including UK Government RESTRICTED. The service has a full RMADS which can be supplied
to any accreditor upon request. The service carries an accreditation by the Government
Procurement Service which has been reviewed, re-assessed and renewed annually since
2005. The current IL3 Accreditation Certificate is attached and available at:
https://www.bravosolution.com/cms/uk/company/accreditations .
Note that the hosting infrastructure is provided by Telehouse to IS27001.
Administrators operating the service carry UK SC clearance, clearance numbers and expiry
dates can be supplied on demand. Administrators comply with operational polices in
relation to management of the service, covered by the RMADS and other policies such as
Incident Management.
Key data and documents are encrypted on disk and cannot be viewed by administrators.
We treat our customers as the Data Controllers and ourselves as Data Processors under the
definition of the Act. Whilst the service does not hold sensitive personal data, it does
contain audit trails which define the actions of its users and such data is treated as covered
by the Act.
Backup and Disaster Recovery


The Service is delivered via a UK-based Tier 4 (under the TIA-942 definition) primary data
centre with the highest available levels of redundancy and fault tolerance. The primary data
centre has live and failover systems, the failover being an exact replica of the live application
stack. There is live data replication such that in the event of loss of any primary parts of the
infrastructure, it is possible to failover with no loss of data.
A physically separate Disaster Recovery (DR) site is located in a UK-based Tier 4 data centre.
This also carries live replication of data via a secure network connection. In the event of the
Commercially Confidential
PAGE 13


unrecoverable loss of the primary data centre, the DR site can be activated with minimal loss
of data (one day at the most, with a probable-case scenario of zero to one hour loss).
Data backup includes the backup of the binary database log files that record every action in
the service life – this is permanently retained. In addition a daily and weekly backup and
retention cycle is used to provide specific backup points. The combination allows for
restoration and fast recovery of customer data to any point in time (down to
day/hour/minute/second) in the service’s life. Backups are held electronically and offsite
backup is achieved by replication to the DR site using the secure network connection. Data
never leaves the secure data centres and there are no tape backups. All backups are 128-bit
encrypted.
The system conforms fully with respect to provision of a system to Impact Level 3. Evidence
for this lies in the Service holding a Risk Management Accreditation Document Set (RMADS)
for the system to Impact Level 3. We can make the following statements with regard to
compliance with HMG Guidelines for systems handling information at Impact Level 3:
Security





The Service undergoes an annual IT Health Check as part of development of its Accreditation
Documentation set
Data is stored in a highly protected and secure data centre and servers and access to the
data is controlled through strong username/password based access mechanisms as covered
earlier in this document.
Administrator access is restricted to a limited group of operators all of whom have SC level
clearance or are in the process of being SC cleared.
Administrators are not able to ascertain details of that data or documents held in the
service, as covered earlier in this document.
All user transactions are logged via audit trails and database binary logging with logs
identifying individuals by unique ID, allowing for forensic level analysis of user actions if
necessary
Confidentiality




The Service can support electronic signature and receipt of critical transactions such as
submission of documents or bids.
A data protection policy exists to ensure protection of data held about the actions of
individuals.
An Incident Response Plan exists to respond to any perceived or real threat or security or
related incident on the service. The plan has been developed with a CLAS consultant and
all key staff to whom plan relates have undergone training. A copy of this can be made
available on request.
An intrusion detection system and routine monitoring of log files are used to identify any
attempted attack or threat of attack.
Availability

The Data Centre and hosting environment behind the service provide a 99.9% uptime
guarantee backed by service level agreements with the data centre supplier
 The Data Centre provides redundant power supplies and redundant internet connections
to guard against loss of service by localized power telecommunications failure.
PAGE 14
Commercially Confidential









Uninterrupted Power Supplies will ensure that servers cannot go down and diesel based
power generators exist to provide long term power in the event of a lengthy power
shutdown.
The hardware providing the service is built with dual redundancy in all hardware
elements. For example each server has two network cards and cables, each connected to
a different network switch such that no single component failure can disrupt the service;
a backup always exists. The primary service cannot be disrupted unless several different
hardware elements undergo simultaneous failure.
The service is delivered in a multi-tier environment. Web servers exist in a DMZ which is
separated by a firewall from the main servers. Application Servers and operating
systems are separated from data storage.
To ensure against disruption or loss, data is stored on a Storage Area Network (SAN) with
the hardware redundancy described above. All SAN disks are configured in a RAID-1
format such that data is replicated to two disks.
Loss of a single disk cannot lead to loss of data. The SAN has a number of ‘redundant
stand-by disks’ – if any single disk fails, a stand-by disk will immediately replicate from its
‘sister’ disk and bring the system back to full redundancy. Several disks have to fail
before redundancy is compromised, never mind data actually being put at risk.
Hardware service agreements ensure prompt replacement of any failed components
bringing the system back to full health.
The primary data centre carries an exact replica or ‘failover’ of the Service’s primary
infrastructure to which data is replicated in real time – in all three tiers, web server,
application servers and SAN (data storage). In the event of a drastic loss of the primary
service the failover service can be activated with no loss of data and no loss of capability.
A Disaster Recovery instance of the service is located in a data centre in a different
physical location from the Primary Data Centre, to handle a one-in-a-lifetime event such
as loss of an entire Data Centre or infrastructure. A dedicated network link between the
2 data centres ensures both protection of data in transit and their real-time replication.
The above is backed up by a document Business Continuity Plan (BCP) which identifies
roles and responsibilities and tasks to be undertaken to ensure either failover or disaster
recovery. The BCP also covers plans for other elements of the Service including for
example continuation of Help Desk and Consultancy services in the event of disaster
affecting other parts of the business.
Data is backed up incrementally and through a program of daily and weekly backup
points to allow for data recovery if customer actions such as inadvertent deletion lead to
loss of data. Backups are stored to disks using Network Attached Storage – a mechanism
that is far more reliable than magnetic tape. The NAS also carries redundant hardware
and disk configurations to protect against loss through hardware failure. Backup data is
replicated to the Disaster Recovery data centre.
Monitoring and Audit


Our platform is designed with an extensive array of activity logging features ensuring that
every element of activity is properly accounted for. Tracing is performed on a continuous
basis for all system activities as well as user actions including sellers, buyers and
BravoSolution support personnel and recorded by unique user id.
A time stamp is associated with each record being logged. All logs are compressed and
archived indefinitely providing our team and our clients with the capability of re-tracing
system activities going back to months or years.
Commercially Confidential
PAGE 15





Access to system logs are strictly controlled and limited to IT Management personnel who
are authorized to view and analyse the information behind a written request by a
claimant and by adhering strictly to our internal code of conduct on the matter.
The extent and nature of the logs, including database level binary logs, replication and
access restrictions on logs ensure that no one person is able to alter the accounting log
files.
Database binary logs and incremental backups ensure that data transactions can be
forensically examined if necessary including recovering of systems to a point-of-time.
Log files are regularly monitored, primarily for the purpose of spotting untoward
behaviour such as attempts to hack or bypass system security.
All systems are automatically and continuously synchronized through Network Time
Protocol (NTP) to GMT. This is critical to ensuring the usefulness of our pervasive logs to
the extent that the company is able to effectively and accurately determine cause-andeffect diagnosis. This is also a requirement in certain Government regulations to the
extent that the service must guarantee proper synchronization with an “official” third
party time provider.
Data Centre
The Service is hosted in a data centre managed by Telehouse located in London. This has the
following attributes:










The Data Centre carries a ISO27001 certification and has achieved a level of 0 (zero) nonconformities identified
Access to the data centre is restricted to authorized personnel who must provide
appropriate photo-id based credentials to gain access. Physical access to the data centre
is monitored and a register of access maintained.
Access to restricted areas within the data centre are controlled by security access cards
and codes
The data centre carries 24/7/365 on site manned security and has a state
of the art closed-circuit camera system both outside and within the data centre
The servers and racks that deliver the Service are not labelled and are not identifiable
except to limited set of personnel responsible for the management of the Service
The server racks are protected by a key lock system and a combination lock
There is a fully redundant power supply with full balancing of the lines in order to
guarantee power supply continuity in case of critical path failure through two 2MVA
generators in N+1 configuration
Data centre temperatures are constantly monitored and maintained at 21 °C +/- 3° and
relative humidity maintained at 50% +/- 10%
Colt Telecom are Europe’s premier telecommunications provider with over 11 ISC’s and a
20,000 km fibre optic network connecting 32 major European cities. The Data Centre has
multiple internet connections with redundancy built in against failure of any single
internet connection or provider.
Data Integrity
The integrity of the Service and all data held within is provided as follows:

Virus Protection – a Gateway level state-of-the-art protection system updated every 4
hours scans all incoming and outgoing data (web traffic, emails, attachments/documents
Commercially Confidential
PAGE 16













...etc) to protect against compromise by virus. In addition all servers carry a further level
of virus protection using latest technologies.
Management of the system is limited to an identified set of individuals all of whom carry
SC clearance in line with Impact Level 3 requirements. These individuals access the
system either directly through the data centre or through a restricted and secure Virtual
Private Network.
All key pieces of information that might identify the purpose of a project or decisions
being made are encrypted in the database such that no operator can gain knowledge of
the purpose of that data whilst performing management and maintenance activities.
All documents held in the system have their names obfuscated such that it is not possible
to determine the purpose of a document.
The contents of the documents are also encrypted. There is no mechanism within the
service itself or its technical infrastructure to view, modify or affect the contents of any
document. Documents can only be viewed and replaced by users with login and security
access through the Service and by its application security and business logic.
Access to the applications provided by the Service is controlled through secure HTTPS/SSL
based access and users are authenticated through use of unique usernames and strong
passwords.
An authenticated user’s access is further controlled by application security logic based on
the user’s role within the system.
Customers also have the option of using two-factor authentication – that is, in addition to
the password, the user must be in possession of a physical certificate or (using OATH
based authentication protocols) generate a one-time login key that must be supplied to
the Service as part of their login.
The Service is capable of supporting document digital signature process in which the
authenticity, confidentiality, integrity and non-repudiation of documents are maintained
during all exchanges among users (buyers and sellers) involved in eAuction activities.
The service has in place a Network Intrusion Detection System (NIDS) setup for detecting
any attempt to break into or misuse the technology involved in the delivery of the
Service. The Network intrusion detection systems (NIDS) monitors all network traffic
(packets on the network wire) and attempts to discover if a hacker/cracker is attempting
to break into a system (or cause a denial of service attack).
The Service carries an array of activity logging feature whereby every action or operation
performed by any user is tracked and logged with a timestamp and id of the user
performing that operation. This information is archived indefinitely and can be used to
trace activities months or even years in the past. Access to logs are strictly controlled to
who are authorized to view and analyse the information behind a written request by a
claimant and by adhering strictly to our code of conduct on the matter.
The Service has a minimal external system exposure. A hardware firewall ensures that
only those components (web servers) strictly needed for contact by the outside world are
accessible from the public internet. All other ports and servers cannot be directly
accessed. Internal firewalls further protect application and database servers from
intrusion.
The Services undergoes penetration testing. This is carried out for the development of
the Impact Level 3 Accreditation Document Set and also by independently of this using
the service of ‘white collar’ hackers – industry experts who ensure that the service cannot
be compromised.
A high level of physical security exists within the data centre to protect against physical
access to the servers housing the data. The data centre carries 24 hour manned security
and state-of-the-art closed circuit monitoring systems. Only persons on an authorised
list are granted access to the servers and the secure areas of the data centre are
Commercially Confidential
PAGE 17
protected by access doors requiring electronic cards or codes. The server racks are
further protected by combination security locks. Access to the servers is protected by
strong passwords which are available only to authorized Administrators.
Technical Policies and Procedures
The service is operated through a set of policies and procedures made up of the following
elements:




Access to the IT infrastructure of the service is restricted to identified individuals with
clear roles and responsibilities all of whom carry SC Clearance in line with Impact Level 3.
In order to access the data centre, these individuals must be on a register of nominated
administrators and present Government issued photo-id as proof.
In addition to that physical measures to protect against the loss of services, a Business
Continuity Process exists for ensuring continued delivery of the service in event of
disaster. This covers both the application platform (for example loss of the primary data
centre) – but in addition covers all aspects of our service delivery model
An Incident Management Plan exists to ensure that BravoSolution and its subcontractors
deal effectively with any security or other incidents identified by it or reported to it
We routinely monitor all elements of its IT Infrastructure for patches, particularly those
related to security improvements or new industry standards and these are routinely
applied to ensure continued integrity of the service
Buyer and supplier support, adoption and ongoing support programme
delivered as specialist cloud services
BravoSolution deliver a comprehensive support desk support system that is available 08.00 to 18.00
– Monday to Friday (excluding UK Public Holidays). In addition to this we offer comprehensive
training and support services. Our consulting service provision provides through-life support for all
levels of adoption issues from supply management tool support to the provision of the intellectual
support required to provide expert advice to the most significant procurement exercises in the UK
public sector. Our knowledge and provision is backed up by an extensive, blended training
programme covering both best practice and use of the software through classroom and online
channels.
Our software has been designed to be easy to use, our performance response times consistently
meet and exceed those required in GPS frameworks. It is our policy to resolve any queries/issues as
soon as possible following receipt of a call. Generally calls are resolved within that initial call. Any
issue that cannot be resolved on the first call is immediately directed to the appropriate team for
resolution. Outstanding customer support calls take priority over all other work within our
operations team. Any issue not resolved within two hours is escalated through agreed escalation
issue resolution protocols. The customer will be updated of progress on a regular basis.
Through a ‘hands-on’ approach, supported by tutorials and interactive classroom teaching, our
training courses give attendees a practical working knowledge of the key capabilities from all
perspectives/
Commercially Confidential
PAGE 18
We can provide bespoke support to individual projects or organisational rollout, as required by the
customer.
BravoSolution offers all the training courses and certifications necessary to enable your user base to
obtain immediate value from BravoSolution’s applications. Our educational services offers both
fundamental and advanced courses, providing a quick and easy means to get users started while at
the same time giving them opportunity for more advanced training to maximize the benefits accrued
from using the application.
The program leverages blended learning technologies, a combination of classroom and online
products designed to provide education and assessment to students at the time these services are
needed.
An example of some of the training available surrounding one of the available modules, eEvaluation:
Taking procurement evaluation as the most commonly delivered example:
The eEvaluation practitioner course addresses evaluators, team leaders, project managers, project
administration staff and decision-makers. It provides the grounding to allow them to undertake all
those day-to-day activities delivered to them within the eEvaluation service.
The evaluator users will be trained to evaluate proposals, submit clarifications and to access
documents in eEvaluation and manage RFP and proposal documents. This is most commonly
achieved via a briefing rather than classroom training.
It is recommended that administrators and project managers undertake more comprehensive
training, to include activities such as eEvaluation configuration, implementing evaluation models in
the eEvaluation tool, setting up users and their responsibilities, managing RFP and proposal
documents and reporting.
BravoSolution / QinetiQ Commerce Decisions also supports the organisational rollout of eEvaluation
with the provision of Train-The-Trainer workshops - these allow us to equip key customer personnel
to gain a more in-depth understanding of eEvaluation in order to support internal users.
In addition, the eEvaluation capability can be delivered in re-usable templates, reducing the training
overheads and total cost of ownership to our customers.
Process/domain training
has built an unparalleled level of expertise in the areas of bid evaluation and contractor downselection, having supported projects totalling in excess of £60 billion. Various best practice training is
available – this is tool/service independent but is often delivered as part of the project or
organisational rollout plan for the eEvaluation service.
We can provide bespoke support to individual projects or organisational rollout, as required by the
customer.
These services include:
 Development of the evaluation plan
 Facilitating criteria development and weightings
Commercially Confidential
PAGE 19






Conducting pre-evaluation sensitivity analysis
Facilitating evaluation dry-runs to validate and optimise the approach
Development of appropriate scoring scales for the technical, commercial and soft-issue criteria
Conducting post-assessment sensitivity
Production of evaluation reports
Conducting bidder debriefings, with appropriate justification and traceability to the bid
documents
 Implementation of the all aspects of the eEvaluation tool, ensuring time savings and quality
benefits with minimal learning curve
 Organisational deployment support
We can also provide more embedded, long-term support to the customer, as a manager or
facilitator of the supply management processes. In this scenario we would join your team for an
agreed period, and facilitate the process, bringing together many services into a cost-efficient
package. This enables the project teams to focus their domain expertise.
Sample training option summary:
Evaluator Briefing, Bespoke and Standard: For customers who wish to adopt eEvaluation whilst
making use of support from BravoSolution/ QinetiQ Commerce Decisions to configure the software
for the specific procurement project we offer evaluator briefings – a short training session designed
to allow the (potentially large group of) people involved in a supplier evaluation how to make
effective use of the software. There is a standard version, and a bespoke version, the latter being
tailored to the project’s requirement.
Training day: These can be used to support procurement activities as required by the customer. For
example, a customer may wish to make use of the existing built-in templates (or in modified versions
created for individual customers) – we offer template-based training to the smaller number of
evaluation managers who will be involved in configuring the software for a supplier evaluation.
eEvaluation Practitioner, Bespoke or Project: For customers who wish to be able to make more
extensive use of the features of the software to configure and / or administer projects requiring a
more bespoke configuration we offer eEvaluation Practitioner training. There is a standard version,
and a bespoke version, the latter being tailored to the project’s requirements.
On-boarding
BravoSolution/ QinetiQ Commerce Decisions has a 13-year track record in delivering the Service and
supporting consulting, training and account management to our customer base in UK Public Sector.
The last six of these have been as a provider on the GPS eSourcing Managed Service/Framework.

A customer wishing to place an order will be contacted by an account / administration manager.
On agreement of the level of service required, an order may be placed via the catalogue. An
implementation plan can be agreed, where relevant, to include the necessary training or support
services.
Service activation occurs on receipt of a valid order, unless otherwise requested when creating
customer specific configurations etc the customer nominated points of contact are issued with
Commercially Confidential
PAGE 20





usernames and passwords, and given access to the service in a dedicated account. Licence
extension or modification is also agreed via the account manager and licence changes can be
applied within minutes.
Upon activation of the service, customers have the option of administering the service
themselves, or using the BravoSolution Help Desk for basic administration tasks depending on
the support / delivery options adopted. Support/training services can be purchased for
assistance in the management of the system whilst executing projects.
Where consulting has been purchased, an agreed plan of work will begin with the appointment
of the lead consultant and, if required, a kick-off day to initiate the project. The nature of the
support required by customers is wide-ranging and varied. Customers can choose from a set of
available training, support and consulting programmes (see sample training section above).
Alternatively, BravoSolution /QCDL can put together a bespoke programme of support to
address any specific requirements of the customer.
Many customers choose to use a Kick-start package of training and support to enable them to
rapidly adopt and deploy the software on a specific project. This package is based around the
use of one of the pre-configured templates and assumes that the customer will be undertaking
the configuration of the software with the training and support included in the Kick-start
package.
Where the nature of the project is such that the built-in templates are not appropriate, or a
customer wishes to outsource the configuration of the software a bespoke templates can be
configured, and/or a package of support can be provided.
Imports of data are through standard web-interfaces and exel / csv formats.
Offboarding and Termination




Customers can sign up on a project specific or time expiry based licence with a given number of
users.
Customers have the ability to export data in Excel or HTML format and extract documents from
the service if they wish for backup or archival processes.
On expiry or termination of a licence, the data may be made available to the customer in read
only, restricted IP address access format. This additional access can be agreed prior to / on
contract termination.
Additional read-only access maybe agreed beyond framework/contract termination – actual
terms to be agreed on a case-by-case basis.
Data Restoration/Service Migration


See Backup section above for BravoSolution’s backup policies. In the event of data loss it is
possible for restoration of data to any point in time using the data backup and archives. Data is
recovered in the DR site and then transferred to the live site.
A charge may be levied for data restoration service if extensive recovery work is required as a
result of the data being lost through the action of the customer.
Commercially Confidential
PAGE 21

If the customer wishes to transfer data to an alternative service they are able to extract
documentation held via ZIP based export and extract other data in either HTML or Excel format.
Trial Service

During account initiation (see Onboarding) a trial service can be set up for the purposes of
proving infrastructure and accessibility. There would be no charge for this.
Commercially Confidential
PAGE 22
Response to Detailed Questions
Below is a table outlining how our service meets specific criteria.
Features
Q-G06
Q-G07
Our Response
The service is run from a secure data centre and
Networks to which the accredited to handle data to Impact Level 3. It is not
service is connected connected to any other network. Access is over the
(directly)? internet using HTTPS with the connectivity compliant
to Manual T.
API access is available, documented and supported as
part of the standard BravoSolution Integration Module
(BIM), this fully documents a series of open standard
'API' access available, web-services via the https protocol.
documented and Please also see attached summary document:
supported? “BravoSolution SaaS Suite - Integration Services.pdf”
and “BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
Q-G08
Open Standards
supported and
documented?
Q-G09
Open source software
used and documented?
Commercially Confidential
Standards supported within the application are based
on pragmatic real-world customer requirements.
BravoSolution’s enabling technology is entirely based
on open standards such as Linux, JSP (Java
Server Pages), JavaScript, J2EE (Java 2 Enterprise
Edition), HTML, XML, XSL, MVC (Model View
Controller), JDBC, JAKARTA STRUTS. This ensures full
compatibility and seamless interoperability
of each component of the system architecture with the
best available web-based technologies
throughout their rapid evolution in time. We have
invested significantly in the development of
functionalities based on Service Oriented
Architecture (SOA) aimed at improving the
interoperability of the e-Procurement technology
with external platforms (client ERP or other business
systems). The company has already
developed a set of Web Services able to securely
connect the various modules within the
application to external system both, during component
set-up phase, and when extracting data
from negotiations’ archives.
We make use of Open Source software.
Documentation is available on the components and 3rd
party applications that are used. We can provide this
on an as-needed basis. BravoSolution’s enabling
technology is entirely based on open standards such as
Linux, JSP (Java
Server Pages), JavaScript, J2EE (Java 2 Enterprise
PAGE 23
Edition), HTML, XML, XSL, MVC (Model View
Controller), JDBC, JAKARTA STRUTS. This ensures full
compatibility and seamless interoperability
of each component of the system architecture with the
best available web-based technologies
throughout their rapid evolution in time. See also
“BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
Service Management
Q-G10
The service is in a secure data centre and accredited to
handle data to Impact Level 3. It carries an RMADS
Technical
which identifies the technical boundaries and fully
boundaries/interfaces of
documents the risks, mitigations and residual risks.
the service documented?
Please also see “BravoSolution SaaS Suite Infrastructure and Information Assurance.pdf”
Services available to
other suppliers so they
Q-G11
can use them to provide
services to government?
We do work alongside partners in delivery of the
service and associated support/consultancy services as
part of a wider offering and are open to working with
additional government suppliers in this way as needed
by particular customer(s).
Examples include BravoSolution Integration Modules,
SSO provisioning etc.
Q-G12
There is a simple onboarding process - our account
management / administrative team provides an
interface to customers and will determine licensing
needs and provide quotations and license sign off.
Once this is done, a customer account can be switched
on and made available in a matter of minutes, where
an existing un-configured solution is chosen. As part
on-boarding process e.g. of the service provision we provide a business-hours
moving on to the service? Help Desk and consulting services to provide either
training, ramp-up or "run the system for you" services
to assist customers in deploying use onto individual
projects or cross-organisational rollout. To enable quick
adoption, our services include Template and "Kick
Start" packages allowing customers to achieve success
quickly and with low levels of investment/cost of
ownership.
Q-G13
Customer data may be held online in IP access
restricted, read-only format to be interrogated by the
SaaS on expiry of licenses. This service is provided to
off-boarding process e.g. the original contracted service levels and security
moving off the service? protocols and is available at a chargeable rate.
Customers freely can extract data in Microsoft Office
and HTML formats as well as extract any
documentation stored on the service.
Q-G14
Data extraction/removal Confirmed. Extracted / removed / destroyed inline with
Commercially Confidential
PAGE 24
criteria met? customer requirements. See above Q-G13 and
“BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
Q-G15
The data is run from highly secure (Tier 4/TIA-942)) UK
Data processing and data centres. There are two data centres, a Primary
storage locations and Disaster Recovery. The two are connected by a
defined? secure data link. There is no off-shoring of data. An
RMADS and accreditation to IL3 exists.
Q-G16
We provide the service from our UK located data
centres - the service is accredited to store data to
Impact Level 3 and the security implications mean we
Data location option can provide a fixed and closed service. Options for other
be defined by user? locations are not provided although we are amenable
to supporting internal installation within customer
locations or on alternative hosted infrastructure if this
desirable to the customer.
Q-G17
This is not applicable. The service is in a secure data
Data held in Safe Harbour centre and accredited to handle data to Impact Level 3
(if applicable)? and all data including DR is stored entirely within the
secure UK data centres.
Q-G18
Q-G19
Data centre(s) used
adhere to best practices
described by the EU Code
of Conduct for Data
Centre Operations?
Data centre tier?
Q-G20
Support
boundaries/interfaces of
the service documented?
Q-G21
Service roadmap
provided?
Commercially Confidential
Our data centre provider is compliant. It holds an ISO
27001, ISO9001 and ISO4001 accreditation as proof of
compliance with Environmental and Carbon Trust
Standard guidelines and meets or exceeds these
guidelines
Tier 4 under TIA-942 definition
Yes. “BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf” and “BravoSolution SaaS
Suite - Integration Services.pdf”. In addition, we run a
Business Hours Help Desk based on telephone and
email support. There is clear separation of Service
Administration and Customer Support roles and
operational policies in place for the support we offer
and interaction with customers.
Our Support team is responsible for providing software
support and help with use of the software to achieve
particular goals. Our Services team is responsible for
providing best practice advice and support to
customers and for executing projects on the customers
behalf. Our package definitions, engagement and
project management approach with customers clearly
identifies the organisational support roles they can
expect from us and delineates areas of responsibility.
Yes. In addition to below, also see . We work with our
customers to define customer and market
requirements and changes to the software to meet
those requirements. This is via individual contact with
our Help Desk and Consultants and via User
Groups/Forums. All changes to the product are
PAGE 25
•
•



Q-G22
carefully specified and built to ensure no operational
change to existing data or end-user experience. The
product release cycle includes early notification of
planned features, formal release notes delivered to
customers prior to rollout and advanced warning of
any downtime to provide system updates. All planned
downtime is carried out outside of UK business hours.
Examples:
• Strengthen Negotiation Model
• Worksheets
• Usability
Aesthetics
Improve VRM
• Scoreboards
• Optimization
• Document Level Savings
• DIY Customer Reporting
• Threshold Based Workflows
• Aggregated Projects
• Glance based object status
• UI Improvement Findings*
Improved support for output to Microsoft Office
formats
Revamp of the graphical output to support
developments in browser technologies
Improved controls for user specified output content
and layout
Ongoing improvements to support new/updated
browser technologies and security considerations.
Yes. We have a series of quality assurance and system
performance/load goals and formal specifications of
how these will be met. These are tested and verified at
each release under ITIL V5 methodologies - each
release cycle will also update these attributes to
account for new features or other changes to the
service.
Service performance attributes are well defined and
Performance attributes cover availability, response times, querying speed etc
defined and in the service definition.
documented? Our design aim is to provide end user response times
of 4 seconds or less for all major operations given a
broadband level internet connection. We use a Tier 4
data centre with a high level of internet connectivity
and capacity to provide the backbone to deliver this.
To ensure we achieve targeted performance levels we
benchmark all server side operations and these form
part of an acceptance load test.
Prior to each release the service is tested under
Commercially Confidential
PAGE 26
simulated loads that exceed those experienced in
Production systems and at each release we ensure no
degradation against performance; taking any remedial
action that is necessary.
Additionally we monitor production system
performance to ensure target loads are achieved
Q-G23
Q-G24
Q-G25
Q-G26
Q-G27
Q-G28
A full backup and disaster recovery policy is in place.
Backup & Disaster This is documented in the Service Definition and see
Recovery? “BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
We provide a telephone based Help Desk between 8am
to 6pm Monday to Friday, excepting UK Public
Holidays. Email based support is also available at these
times. We also provide training and specialist
Is a support service
consulting services which often form part of the
provided and
customer engagement with us. The service is made
documented?
available to all active licence users through dynamically
available web-pages and includes contact detail
updates (such as telephone number, email, web-call
me back etc) available times etc.
Customers are able to access real time information
about various aspects of the service to manage project
and organisational usage of the system, including
realtime application reporting. Within the constraints
'Real time' management
of the security accreditations and compliance with
information available?
Data Protection we often additionally provide specific
summary information to customers. Detailed
information about user actions are logged, but only
divulged in compliance with Data Protection guidelines.
Yes – various options in this area are available.
However, the service is most commonly billed in
Reports include each
advance, so not routinely provided. Bills will generally
billed unit?
indicate the units and numbers of units
purchased/delivered
Whilst self-service provisioning / de-provisioning is
Self service
available, the specialist nature of the service and the
provisioning/despecific audit trail requirements means that most
provisioning?
customers do not take advantage of this approach.
Minutes to set-up new users / provisioning / deprovisioning on self-service basis.
In addition, frequently customers work with our
account management team to agree licensing and
Indicative time for delivery approach. Following receipt of purchase
provisioning/de- order, it is possible to activate the service for a
provisioning customer in a matter of minutes on our SAAS
documented? foundation. We have a series of predefined packages
for self-service (with training) or consulting led use
ranging from project specific to organisation wide
rollout of the service. We work with customers to
understand their needs and provide a suitable standard
Commercially Confidential
PAGE 27
or custom model. User competence is obtained in
anything from 1 hour (for simple access) to several
days training and some weeks experience (for more
complex configuration tasks).
Q-G29
We use internal and 3rd party monitoring of the
service. Internal monitors assess the performance of
the various elements of the service from database
3rd party service through to web servers against defined thresholds and
monitoring tool access? notify administrators of any issues. 3rd party
monitoring of the service from remote locations will
identify availability, response times and any downtime
and inform administrators via email and SMS.
Service Desk can be used
Yes by mutual agreement. BravoSolution has provided
by 3rd party suppliers for
Q-G30
other support service desk services for SaaS solutions
their services - e.g. small
including SAP, sell2wales and others.
SaaS provider?
Commercial
The SaaS modules are typically priced on an individual
unit based pricing model, by module, number of users
and usage timescales. Frequently the service is often
priced on an annual, per user, pricing model. Many
Unit based pricing
Q-G31
other models are available and will be selected and
model?
depending on the nature of the engagement (project –
SML, organisational SML etc) .Please refer to the
pricing tables in the Service Definition for more detail
or BravoSolution for the most appropriate option.
Aggregated billing Yes, the service billing can be aggregated across
Q-G32
options? accounts or multiple users / cost centres in an account.
One month for individual unit based pricing in addition
Minimum Contract/Billing
Q-G33
to existing minimum one year contract. One year for
Period?
large scale, customer specific configurations.
Q-G34
Free option? No
Yes in certain circumstances – refer to ‘Trial Service’ in
Q-G35
Trial Option?
the Service Definition
Commercially Confidential
PAGE 28
No.
Customer data may be held online in IP access
restricted, read-only format to be interrogated by the
SaaS on expiry of licenses. This service is provided to
Termination costs ? the original contracted service levels and security
protocols and is available at a chargeable rate.
Customers freely can extract data in Microsoft Office
and HTML formats as well as extract any
documentation stored on the service.
Supplier contract terms
Contract terms are under English law.
jurisdiction?
Payment Options? Purchase Order, Credit Card, BACS
Q-G36
Q-G37
Q-G38
Clients
The software supports all version of Internet Explorer
from Version 6 onward and Firefox. Other browsers
Web browser interface? such as Chrome and Safari and those on mobile devices
can also be used, however are currently undergoing
official support accreditation.
Q-LOT3-1
Q-LOT3-2
Q-LOT3-3
Q-LOT3-4
Q-LOT3-5
The software supports all version of Internet Explorer
from Version 6 onward and Firefox. Other browsers
Supported web browsers
such as Chrome and Safari and those on mobile devices
documented?
can also be used, however are currently undergoing
official support accreditation.
Details of other thin
There are no other client requirements, only a web
client modes
browser is needed.
documented?
Other client software
As above
documented?
The software CAN be accessed from Smartphones, but
due to the nature of the application there is not
currently customer demand for Smartphone access and
Smartphone Access?
this is not currently formally supported. This is
reviewed regularly to assess whether future support is
required.
Q-LOT3-6
The service supports off-line working through the use
of export / import routines with standard MS Office
templates such as excel. Users can download to MS
Off-line working & Office applications, work on the content and upload
synching? into the application.
Full document management capabilities, such as checkin, check-out, version controlling, freeze etc are
supported.
General Features
Commercially Confidential
PAGE 29
Q-LOT3-7
Attachment support?
Q-LOT3-8
Anti-virus protection?
Q-LOT3-9
International Language
Support?
The service fully supports the ability to load documents
- its primary purpose is support the supply
management process, including significant
requirements for access to and evaluation of specific
information documents, such as bids, supplier
information etc. It has full attachment support of any
type of document/file.
The service has full Anti-Virus protection. Also see
“BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
The software is capable of operating in any language
including far-eastern multi-byte character sets. The
captions and online help system within the software
can also be translated into any language including fareastern multi-byte languages. Currently the solution is
available translated in English, German, Italian,
Spanish, French, Dutch, Chinese, Welsh.
Q-LOT3-10
Yes, the service is supported by workflow facilities
relevant to the conduct of supply management
activities. This is delivered through embedded module
Workflow facilities? capabilities and the programme management module,
and includes approval processes, information capture,
assessment, pre-requisites, dependencies, task
promotion etc including alerting, messaging.
Q-LOT3-11
Yes, taxonomy structures may be created within the
service, or imported from existing offline tools, such as
Importable taxonomy? MS Excel. BravoSolution has supported the definition /
import of taxonomies with ~6levels and several
thousand individual ‘leaves’.
Q-LOT3-12
Q-LOT3-13
Folksonomy is currently supported within the online
community BEN including cloud tagging etc.
As above. The facilities include assignment to various
modules within the same or different taxonomy
Taxonomy facilities?
structures. BravoSolution also provides services to
support taxonomy definition.
Folksonomy support?
Q-LOT3-14
There are no significant integration requirements
leading to the need for plugins or extensions. The
plug-in / extension service is internet facing and offers the ability to
ready? manage data to Impact Level 3 (RESTRICTED) and has
extensive firewall protection. For security reasons we
rarely not make use of plugins/extensions.
Q-LOT3-15
plug -in / extension
See above – not generally applicable
marketplace?
Commercially Confidential
PAGE 30
We make information available to publicly required
advertisement notice sites via web-services / xml
Syndication?
standards. Generally other supply management
activities are not made available elsewhere.
Q-LOT3-16
Native search?
The service supports native search of information input
into the service.
Q-LOT3-18
Native support of bulk
input / export of data &
meta-data in standard
formats?
BravoSolution supports import / export of data and
meta-data through pre-defined formats and routines.
These include contract header information, supplier
registration information etc from MS Excel standard
template formats. Mass document uploads may also be
imported from standard routine formats.
Q-LOT3-19
Link Management?
Q-LOT3-17
It is possible to enter links to either data within the
service or to any external and accessible web content.
Business Continuity
Q-LOT3-20
Separated environments:
Publishing / Editing /
Search?
Q-LOT3-21
Caching?
Whilst the breakdown in the question is not strictly
applicable to our service, we have a complete DR
facility in place with real time data replication to a
physical separated UK DR data centre. This is
described in our Service Definition. “BravoSolution
SaaS Suite - Infrastructure and Information
Assurance.pdf”
As above - live replication of data to a DR site.
“BravoSolution SaaS Suite - Infrastructure and
Information Assurance.pdf”
Authorisation, Authentication and
Personalisation
Q-LOT3-22
Q-LOT3-23
Q-LOT3-24
The service has pre-defined SSO web-services available
for integration identity systems, including automated
Integration with Identity user provisioning where applicable. This typically
Systems? requires customer specific definition and
implementation, particularly in the context of the
existing IL3 accreditation.
It is possible to record details of users in line with the
User profile page?
needs of our service.
The software has extensive features to provide
comments against data that is being collected or
Comment on item? processed. These are configurable, with predefined
configurations included in templates. Comment
facilities include collaborative discussion threads.
Integrated Communications tools
Q-LOT3-25
Instant Messaging? The service is support messaging between users.
Commercially Confidential
PAGE 31
Yes. The service supports searching / filtering /
supporting of embedded meta-data. The service is
developed to provide a robust audit-trail surrounding
eDiscovery? all user activities for use in reporting and natively
supports eDiscovery activities through the principles of
Privacy, Authentication, Integrity and Non-repudiation
(PAIN).
Yes. These may be imported from other BravoSolution
Migration Tools extract formats, or by mass-loading of information,
Available? such as evaluation criteria etc in formats such as excel /
csv
Q-LOT3-26
Q-LOT3-27
Q-LOT3-28
Q-LOT3-29
Q-LOT3-30
Video Conferencing? The service does not support video conferencing.
The service supports a restricted network social
network called the BravoSolution Education Network
Social Networking?
(BEN) with embedded blogging, messaging, forums and
learning environments.
The service supports a restricted network social
network called the BravoSolution Education Network
Social Networks?
(BEN) with embedded blogging, messaging, forums and
learning environments.
Q-LOT3-31
Calendars? Yes. With integration into other modules.
Q-LOT3-32
Contact Management? Yes. With integration into other modules.
Q-LOT3-33
Yes. Users of the service are given To-Do lists of
projects and tasks within projects based on their user
assignments. The system also supports on line and
To Do Management?
email based alerting - users are alerted to tasks they
need to complete and can follow a link that accesses
their data via secure login to the Service.
User Generated Content
Q-LOT3-34
The service supports a restricted network social
Solution provides network called the BravoSolution Education Network
Blogging capabilities? (BEN) with embedded blogging, messaging, forums and
learning environments.
Q-LOT3-35
Solution provides wiki The support network / user help is delivered and
capabilities? supported via a wiki interface
Q-LOT3-36
Solution provides forum
capabilities?
Q-LOT3-37
Solution provides content
rating capabilities?
Commercially Confidential
The service supports a restricted network social
network called the BravoSolution Education Network
(BEN) with embedded blogging, messaging, forums and
learning environments.
Content rating capabilities are not directly relevant to
this service. However rating within the context of
supply management is available (contract rating,
supplier rating, bid rating etc).
PAGE 32
Q-LOT3-38
Q-LOT3-39
Q-LOT3-40
Content rating capabilities are not directly relevant to
Solution provides content
this service. However rating within the context of
recommendation
supply management is available (contract rating,
capabilities?
supplier rating, bid rating etc).
The service supports a restricted network social
network called the BravoSolution Education Network
Solution provides social (BEN) with embedded blogging, messaging, forums and
media sharing e.g. tweet learning environments. Otherwise IL 3 restrictions
this? currently mean no embedded social media sharing
currently available, however open to continuing
dialogue regarding the relevance.
Solution provides Stop word filtering is an embedded feature of relevant
automated stop word areas of the service, for example the spend analysis
filtering? cleansing suite.
Un-listed service
Q-LOT3-41
Q-LOT3-42
What is the name for the
service (if different from
response in "About your
Services" section)?
Price for most common
configuration (i.e.
Supplier's best selling or
expected best selling
configuration)?
Q-LOT3-43
Minimum service unit
pricing interval?
Q-LOT3-44
Is the service Public or
Private?
Q-LOT3-45
Impact Levels (ILs) at
which the service is
accredited to process
and/or store information
(actual or target)?
A common unit priced package comprises 5 annual
eSourcing £16,320, excluding VAT for a single year.
This price includes the annual maintenance charge,
which gives access to the Help Desk and product
updates for the licence term.
1 year, or part thereof by agreement, for noncustomised solution in conjunction with existing one
year contract. 1 year for customised, configured
solutions.
The service is an internet facing "Public Cloud" service.
It is possible for the service to be installed on specific
customer sites or as part of a Private cloud installation
- this last case would require 3rd party product licenses
for dependent products such as the database which
would be chargeable.
The service is accredited to Impact Level 3
(RESTRICTED) - actual. It carries a full RMADS and is
accredited by the Government Procurement Service.
The accreditation has been in place since 2005 and is
renewed annually.
The service is accredited to Impact Level 3
(RESTRICTED) - actual. It carries a full RMADS and is
Has the service been accredited by the Government Procurement Service.
Q-LOT3-46
accredited? The accreditation has been in place since 2005 and is
renewed annually. “BravoSolution SaaS Suite Infrastructure and Information Assurance.pdf”
Features
How would you
SaaS Procurement and Supply Management service
Q-LOT3-47 categorise the service e.g.
solution
Billing / Social Media etc?
Commercially Confidential
PAGE 33
The proposed solution is based on an off-the-shelf
web-based software package from BravoSolution and
incorporates over 350 man-years of research &
development entirely focused on web-based
procurement lifecycle automation.
Q-LOT3-48
Component modules include, but are not limited to:
 A secure Portal
 Spend Analysis
 Programme/Process manager module
 eSourcing module (including eAuctions)
 Dedicated eEvaluation module (AWARD QCDL)
 Vendor Management/Profiling module
 Contract Management Module
Short description  Vendor Performance Management Module
(summary) of the
 Deployment programme of blended learning &
service?
education
 Programme for Buyer and supplier adoption
including training and ongoing user support
 On-demand sourcing enablement and
consulting/operational support
BravoSolution has more than 400 clients in 30
countries and its supply management software is
currently used by over 50,000 procurement
professionals worldwide. The company is proud to
support a portfolio of leading client organizations
including The Scottish Government, Glasgow City
Council, L’Oreal, GE Aviation, BBC, NHS Heart of
England, PepsiCo, DuPont, Unilever, Welsh Assembly
Government.
LOT 4 - Specialist Cloud
Services
Q-LOT4-1
Q-LOT4-2
Yes. Our company provides SaaS and
consulting/services team provide specialist support in
two areas. Firstly tool support, providing support to
customers in use of the suite tool and specialist
services such as developing of re-usable templates,
Do you provide services
guidance and training. Secondly "expert advice" and
that support Cloud
support to assist customers in designing and
services?
implementing supply management processes. This is
most commonly applied to major procurement
exercises resulting in high quality, efficient and legally
compliant procurements, particular where compliance
with OJEU is needed.
Do you provide vendor
Our service is not specific to any particular vendor.
specific services ?
Commercially Confidential
PAGE 34
Q-LOT4-3
Q-LOT4-4
Q-LOT4-5
Q-LOT4-6
Q-LOT4-7
Q-LOT4-8
If the vendor(s) have
accreditation, are you See above – not applicable
accredited?
Vendor accreditations? See above – not applicable
There are a variety of different pricing/delivery models
including both unit priced and resource based. A
common unit priced package supports a small to
medium sized procurement evaluation and involves up
to 8 days plus tool training and assessor briefing. This
package of support is referenced as ES1 (eEvaluation
Services Package 1) and is priced at £13,600, including
T&S and excluding VAT
For the purposes of this entry, a small/medium sized
If your services are unit
procurement evaluation is defined as follows:
priced, price for most
 It does not have a very large number of criteria (i.e.
common configuration
less than 200)
(i.e. Supplier's best selling
 All criteria apply equally to all bidders (i.e. there are
or expected best selling
no “lots”, “regions” or “options” to be evaluated)
configuration)?
 A small number of different scoring scales will be
used to evaluate the entire set of evaluation criteria
(i.e. 5 or less scoring scales)
 The evaluation will not take a long time (i.e. less
than 2 months)
 Where the evaluation team will comprise less than
15 individuals.
Support is focussed on the configuration and use of
eEvaluation with the minimum support for preparation
and other activities.
Yes. Please refer to "BravoSolution SFIA Definitions &
Rate Card v1 0.docx"
If your services are
Please note that the SFIA rates quoted are for 8 hours,
resource based, priced
as per the SFIA specification. The SFIA rates therefore
SOFIA table provided?
vary from the STANDARD rates because they have
been pro-rated to reflect the additional half hour.
Un-listed Service
Please complete if your
service does not fall into
the categories listed
below in the Services
section
What is the name for the
service (if different from
As per in the "About your Services" section
response in "About your
Services" section)?
The proposed solution is based on an off-the-shelf
web-based software package from BravoSolution and
Short description
incorporates over 350 man-years of research &
(summary) of the
development entirely focused on web-based
service?
procurement lifecycle automation.
Commercially Confidential
PAGE 35
Component modules include, but are not limited to:
 A secure Portal
 Spend Analysis
 Programme/Process manager module
 eSourcing module (including eAuctions)
 Dedicated eEvaluation module (AWARD QCDL)
 Vendor Management/Profiling module
 Contract Management Module
 Vendor Performance Management Module
 Deployment programme of blended learning &
education
 Programme for Buyer and supplier adoption
including training and ongoing user support
 On-demand sourcing enablement and
consulting/operational support
Services
Q-LOT4-9
Design Authority?
Q-LOT4-10
Project / Programme
Management?
Q-LOT4-11
Business Analysis?
Q-LOT4-12
Commercially Confidential
We undertake the role of Design Authority only in
respect of the Supply Management Software and own
the design and implementation of the software
product
Our consulting team users structured engagement
processes, adapted to fit specific customer
requirements. Project plans are agreed and regularly
reviewed as part of the engagement cycle. We can
take responsibility for or integrate with overall
programme management. Project programme
management tasks can be undertaken at a project,
programme or organisational level.
An early part of all customer engagements involves
greater or lesser amount of business analysis. We are
recognised expert provider of evaluation, procurement
and review advice and will use this expertise combine
with the analysis to ensure effective delivery of the
business processes in association with the service.
In the context of our specialist consulting service we
design and develop implementation, adoption and
operational models for customers. This can be done
Design and on a one-off basis for specialist projects or via reDevelopment? usable models and templates. We also design and
develop end-to-end methodologies to facilitate
definition of criteria, process models and
evaluation/review of end results.
PAGE 36
Within our specialist consulting service, our delivery
package includes testing/quality assurance of both the
development of procurement models and verification
of the process/data prior to execution of decision
making processes, including independent peer review
using a different member of our team.
Q-LOT4-13
Testing?
Our software system also undergoes extensive quality
assurance including software based unit tests,
regression testing using a suite of automated tests and
manual scripted verification for critical features and
performance/load testing. Software is also rolled out
Beta and Pre-Production on services for verification in
"live" environments and for customer
verification/training and early experience access to
new features.
Q-LOT4-14
In the context of our specialist consulting service we
support project specification and selection in the
Project Specification and context of deployment of our service and adoption
Selection? operational projects. This can be done on a one-off
basis for specialist projects or via re-usable models and
templates.
Q-LOT4-15
BravoSolution provides integration services via
standard open standards web-services methodologies.
Service Integration? BravoSolution has integrated into hundreds of different
applications, including ERP, Supplier management,
Official advertisement, Transportation systems etc.
Q-LOT4-16
Our services offering includes deployment services
ranging from change management, template creation
and training to development of content for customers.
Deployment?
Note that no technical support is required for
deployment - the service requires only a browser with
no additional plugins or software to operate.
Q-LOT4-17
Our service offering includes support in migrating data
from other services. Data from other sources can be
prepared and imported via Excel. Data can also be
exported in Excel format for integration to other cloud
services. This is rare though due to the specialist
nature of our service.
Q-LOT4-18
Transition Management
(including rapid inter
cloud service
data/service migration)?
Our service is managed by SC cleared operational staff.
Management of individual customer’s data including
users and projects can be carried out as agreed via our
Service Management? Help Desk or via our consultants. Where authorised to
access individual customers' data, we do so via specific
logins on the customers account to segregate
accountability and audit.
Commercially Confidential
PAGE 37
Q-LOT4-19
Q-LOT4-20
Q-LOT4-21
Q-LOT4-22
Q-LOT4-23
User Management can be carried out by the customer
(using nominated Administrators) or via our Help desk.
This service is also sometimes provided as one of the
services under a contracted support/consultancy
User Management?
package within the customer organisation.
Organisations can be responsible under an ‘enterprise’
agreement for the ongoing user creation, provisioning
and management.
We provide a number of training courses - these range
from formal training in all aspects of the product to
training packages developed in conjunction with
standard re-usable templates that make use of
commonly used procurement model - these allow for
streamlined and low-cost training and lead to faster
implementation and deployment. Our offering
Training? includes the ability to take our standard templates and
modify them to suit specific customer needs, again
offering a low cost option for rollout. Our knowledge
and provision is backed up by an extensive, blended
training programme covering both best practice and
use of the software through classroom and online
channels.
This is not applicable except in the context of the
Editorial? user/organisation configurable help/guidance and
process support contained within the suite.
Our service is managed by SC cleared operational staff.
Management of individual customer’s data including
users and projects can be carried out as agreed via our
Help Desk or via our consultants. Where authorised to
Application management access individual customers' data, we do so via specific
and support? logins on the customers account to segregate
accountability and audit. This service is also sometimes
provided as one of the services under a contracted
support/consultancy package within the customer
organisation.
Many customer engagements involve a degree of
strategy and implementation services associated with
the change programme leading to the delivery of the
service. This will either be complete oversight or
integrating with our customer and/or their other
Strategy and advisors Our consulting team are recognised experts in
implementation services? the implementation and advisory space, particularly in
relation to running OJEU compliant procurements both
in terms of overall strategy, compliance with legal
frameworks and the use of Electronic Tools to
streamline the procurement and manage costs and
timescales.
Commercially Confidential
PAGE 38