Proposal: BravoSolution Service Definition for SaaS Supply Management Services For: GPS Provided Richard Hogg by: r.hogg@bravosolution.com Tel: 0207 796 4170 Mob: 07875 316221 Commercially Confidential PAGE 1 BravoSolution (and subcontractor QINETIQ Commerce Decisions Limited) Supply Management Excellence delivered as a Service The D&B DUNS® Number for BravoSolution UK Limited: 345297134 The D&B DUNS® Number for subcontractor QINETIQ COMMERCE DECISIONS LTD is: 221381762 The proposed solution set is delivered as a combination of Software As A Service and Specialist Cloud Services, from BravoSolution and subcontractor QINETIQ Commerce Decisions Limited. The solution set is focussed on transformational procurement and supply management technologies, including, but not limited to: Programme Management, Spend Analysis, eSourcing, eAuctions, eEvaluation, Contract Management, Supplier and Performance Management, Collaborative expressive tendering and optimisation based analysis, coupled with specialist training and consulting support. The combined solution set incorporates over 350 man-years of research & development entirely focused on SaaS based procurement lifecycle automation. The products are functionally and architecturally mature having over 10-years track record of deployment for private and public sector clients worldwide. Our solution’s current implementation track record is as follows: Over 400 active customers worldwide deploying the solution to support a combined portfolio of $500 Billion in annual spend Software as a Service implementation across 16 industry verticals and 26 countries Our technology incorporates significant capabilities resulting from such vast context of deployment ensuring that the product presents all necessary characteristics for a successful deployment. Based on our experience one of the key market requirements for supply management software package is its ability to adapt to each customer’s operating model. Over the years our product has evolved to efficiently and effectively address such demands for flexibility and adaptability. As outlined in further detail throughout our proposal some of the key features of our solutions are: Fully Software as a Service, web-based self service functionality Wide array of application level customisations Customisable multi-level product/service category scheme for supplier pre-qualification and spend classification Seamless integration among all modules Customisable workflows and templates Customisable dashboard, Spend and KPI reporting Integration toolkit for cost effective interoperability with existing business systems Commercially Confidential PAGE 2 BravoSolution offers a comprehensive software suite covering process automation needs for the full life-cycle of Strategic Sourcing for organisations in the private and public sector as follows: Such capabilities are offered under a single, fully integrated and customisable platform available ondemand through our Software as a Service (SaaS) delivery model, offering flexibility, value and rapid time to market to our clients worldwide. We have been successfully delivering the SaaS hosted capability across the UK Public Sector since 2004. The service is accredited by GPS to Impact Level 3. The proposed service was part of the OGCBuying Solutions eSourcing managed service/framework from 2004 until its expiry in 2011. A Secure, branded customer Portal delivered as Software as a Service The portal may be branded in line with design guidance, corporate styles containing custom policies, user rights, supplier agreements, category hierarchy, password policy and additional information fields which can be configured as per requirements. Portal security, availability and reliability will be to the highest standards and independently accredited (including HMG Impact Level 3 and ISO27001) giving peace of mind for both buyer and supplier users. Integrated Spend Analysis module delivered as Software as a Service Our Spend Analysis tool is a sophisticated data management toolset that drives a deep understanding of supplier spend (and other data, such as risk etc.) across multiple reporting Commercially Confidential PAGE 3 dimensions (Supplier, time, geography, category business unit etc. etc.), allowing quick and easy identification of savings opportunities, such as: Volume/demand aggregation On versus Off Contract spend and compliance to terms Supplier rationalisation Supplier risk analysis/management Auction opportunity savings Initiative reporting (SME agenda, Minority, geographic etc.) Key functionality includes: Tools to effectively extract, cleanse & enrich, normalise & classify supplier data Sophisticated reporting analysis console, including; o Intuitive user configurable dashboard o 60+ out of the box detailed management reports o Analysis interface with sophisticated multi-dimensional visual reports (graphical and list) o Ad-hoc report build and sharing functionality o Drill down, across, and through options to interrogate date and perform ‘chain of thought’ analysis. Web based exception management Integrated Buyer/Supplier Dashboard delivered as Software as a Service Summarises key activities in a quick, graphical and easy to use custom dashboard, such as: Custom widgets and view for Buyer and Supplier users (can optionally be pre-configured at organisation level if required) Status of current projects and components (RFXs, Auctions, Contracts etc.) Outstanding/late process actions Graphical, matrix and list widgets that link into list views and filters of underlying information Received secure messages Calendar activities, deadlines etc. Quick & custom links Programme / Process manager module delivered as Software as a Service Allows custom best practice procurement processes (including: user guides, collaboration, templates and management approvals etc.) to be mapped into the sourcing portal, to guide users through an end to end process and pro-actively drive compliance to corporate/procurement policies and initiatives, improve planning and management information (including driving systemic increased use of approved processes and procurement tools such as reverse auctions, total cost of ownership, collaborative procurement and category management). Commercially Confidential PAGE 4 eRFX/Tendering module delivered as Software as a Service For managing the secure: issue/return/evaluation of best practice RFX/tender processes (PQQ, ITT, RFI, RFP etc.). Functionality also includes: Secure supplier self registration and acceptance of terms and conditions Collaboration tools – for stakeholder and subject matter expert collaboration Aggregation tools – for collaborative aggregation of demand/volume for maximising buying power and optimising savings Web-questionnaires (forms) and auto-scoring for quick and effective evaluation Advanced Scenario and Total Cost of Ownership analysis Templates for improved productivity Reporting, audit trail and secure opening processes to ensure probity Fully integrated with the Programme manager module to drive end to end best practice processes Auction Module delivered as Software as a Service Allows RFXs etc. to be converted into dynamic auction events with multiple configuration options (forward/reverse, price focus/value focus, multi item/multi-lot etc), integrated into the Process/RFX modules for ease of use and productivity. This allows auction events to be run on a self service basis if required, although a common approach is a managed/part managed event where an experienced Auction consultant works closely with the Buyer/Category Manager to maximise savings potential and minimise risk. Opportunity assessment is also offered to identify auctionable categories/contracts and the savings potential versus risk profile to help drive the use of auctions pro-actively (also the Programme/Process Manager module can include auction reviews/processes as part of the standard sourcing process and cascaded to the user community). Vendor Management/Profiling module delivered as Software as a Service Allows a custom registration process to be created to capture a vendors profile (e.g. categories of interest, capabilities, H&S, finance, SME/minority data, corporate social responsibility etc. etc.) this can then be used to: Identify suppliers with appropriate characteristics (category, capabilities, turnover, geography etc.) and invite them directly into a competitive tender. Supplier profile information can then auto-populate RFX responses saving them time in responding, meeting Glover report recommendations, the SME agenda and potentially increasing competition Custom supplier profile information can also be incorporated into a Spend Analysis supplier data enrichment programme capturing custom information that is accurate, comprehensive for all contracted suppliers without the cost and missing data often associated with 3rd party providers. Commercially Confidential PAGE 5 Contract Management delivered as Software as a Service The Contract management module allows centralised secure repository of contracts, and related documentation, functionality includes; Integration with sourcing modules, including data flows from sourcing (and to ERP if required) e.g. tender information, documents, items, pricing KPIs etc. Mass import existing contract meta-data Customised additional question fields Integrated Clause Library & MCD management Supplier MCD & price negotiation workflows Secure Contract document storage Customised templates and contract types Integrated Scorecards/KPIs, reporting and MI Automated expiry alerting Vendor Performance Management delivered as Software as a Service The Vendor Performance/ Relationship Management module provides a framework for analyzing and improving supplier performance through participation analysis and performance measurement. Functionality includes: Dashboard reporting, lists and graphical analysis Enterprise scorecards Contract scorecards ERP integration Supplier comparison views Supplier participation analysis Integrated into Vendor Management Profiles AWARD eEvaluation module delivered as Software as a Service BravoSolution delivers the proven eEvaluation service via its sub-contractor QinetiQ Commerce Decisions Limited (QCDL). QCDL also provides, best practice knowledge and expert services to assist sourcing projects through-life; from preparation, qualification, evaluation, negotiation to continuous supplier performance review and contract compliance. eEvaluation provides a central web-based information and process infrastructure enabling project teams to carry out evaluations and reviews wherever they are located and without the need for any installation of additional software. This allows users to evaluate tender documents, make major contract decisions and monitor subsequent performance collaboratively, efficiently and effectively. It is proven to significantly increase contract value and reduce risk and has been used in projects totalling over £60 billion to date. Other evaluation/review activities as diverse as options analysis, Information Assurance Maturity Modelling and bid review are also supported. We have been successfully delivering the SaaS hosted eEvaluation capability across the Public Sector since 2003. The service is accredited to Impact Level 3 (IL3) and carries full RMADS. In addition, eEvaluation was part of the OGC/Buying Solutions eSourcing managed service/framework from 2004 until its expiry in 2011. Since its launch in 2001, the eEvaluation service has achieved an enviable reputation for reliability, responsiveness, ease of use, resiliency and excellent customer service. Commercially Confidential PAGE 6 eEvaluation has been used to support strategic procurements in a range of sectors, including utilities, transport, central / regional / local government, healthcare, aerospace and defence, covering a broad range of activities including the provision of schools, hospitals, transport and defence systems eEvaluation is the most widely adopted eEvaluation tool used by the UK Government Departments, many Agencies and various local and regional organisations. Customers include Buying Solutions (now GPS), the Department for Transport, the NHS, Department for Work & Pensions, Olympic Delivery Authority, Ministry of Defence, Crossrail, Transport for London, BBC and the Foreign & Commonwealth Office. eEvaluation is used to support various business processes: Tender Evaluation Document management and authoring Bid management Option analysis/appraisal Project performance review Supplier review Information Assurance management Programme of blended learning, education and consulting delivered as specialist cloud services To support the deployment to the buyer community a (CPD accredited) learning & education programme will be tailored to meet the teams requirements to build competence and confidence in the use of the toolkits, embed the change successfully and realise the business benefits/ROI quickly, including; Basic training (classroom including workbooks and materials) Intermediate training (classroom including workbooks and materials) Advanced (team champion, user administration) training Online top-up training, competence testing & certification New version ‘differences’ training and on-demand ongoing top-up sessions Specialist consulting Best practice sharing and collaborative web forum for the buyer community (BravoSolution Education Network – or BEN) Buyer and supplier adoption and ongoing support programme delivered as specialist cloud services Ongoing support is as important as the training conducted during deployment, and typically includes: Professional helpdesk service (including call logging, call recording, out of hours recorded help etc Initial hands-on project support and ongoing on-demand training and project consultancy as required by local BravoSolution professionals. Commercially Confidential PAGE 7 Best practice sharing and collaboration web forum for the Community (BravoSolution Education Network – or BEN) New version ‘differences’ training and on-demand ongoing top-up sessions Pricing Various licensing and pricing models are available to match the varying customer scenarios. These cater for organisational adoption (across a procurement department for example), large programme adoption or individual project usage. Further options exist dependent on the customer preferences and constraints. Standard pricing is shown below. Other options are available based on different configurations, such as multi-tenant, shared portals – Bravo/QCDL account managers / administrators will recommend the best approach for particular customer adoption. Pricing banding below is for annual user licences, provided as SaaS, payment annually in advance. Minimum 5 users for configured customer solution, except Spend Analysis where Minimum 10 users for configured customer solution. eSourcing Configuration Reference No of users Price for period of use for one year (excluding VAT_) ES1 Up to 5 £16,320 ES2 Up to 10 £26,640 ES3 Up to 20 £47,280 ES4 Up to 50 £66,000 ES5 Additional Band of 10 £13,200 Programme Management Configuration Reference No of users Price for period of use for one year (excluding VAT_) PM1 Up to 5 £4,301 PM2 Up to 10 £8,603 PM3 Up to 20 £17,206 PM4 Up to 50 £43,014 PM5 Additional Band of 10 £8,603 Vendor / Performance Management Configuration Reference No of users Price for period of use for one year (excluding VAT_) VPM1 Up to 5 £10,320 Commercially Confidential PAGE 8 VPM2 Up to 10 £20,640 VPM3 Up to 20 £41,280 VPM4 Up to 50 £60,000 VPM5 Additional Band of 10 £12,000 Contract Management Configuration Reference No of users Price for period of use for one year (excluding VAT_) CM1 Up to 5 £10,320 CM2 Up to 10 £20,640 CM3 Up to 20 £41,280 CM4 Up to 50 £60,000 CM5 Additional Band of 10 £12,000 Spend Analysis Configuration Reference No of users Price for period of use for one year (excluding VAT_) SA1 Up to 10 £22,500 SA2 Up to 20 £35,000 SA3 Up to 50 £62,500 SA4 Additional Band of 10 £12,500 eEvaluation Configuration Reference No of users Price for period of use for one year (excluding VAT_) EP1 Up to 5 £12,600 EP2 Up to 10 £18,910 EP3 Up to 20 £31,480 EP4 Up to 50 £62,950 EP5 Up to 100 £118,980 EP6 Additional Band of 10 £11,898 Minimum 5 users for configured customer solution, except Spend Analysis where Minimum 10 users for configured customer solution. Alternative innovative pricing proposals are available based on Commercially Confidential PAGE 9 multi-year options/commitment. Licences may be transferred between users during the year but are subject to a minimum release period during which they cannot be transferred to a new user. Consulting, training and support Services Configuration Reference Product Price (excluding VAT) ES1 Technical Support Analyst per day (See also SFIA document). £650 ES2 Technical Support Consultant per day (See also SFIA document). £950 ES3 Technical Support Principal per day (See also SFIA document). £1280 ES4 Technical Support Director per day (See also SFIA document). £1387 ES5 1-day super-user course £2,880 including training materials ES6 1-day standard course £2,500 including training materials ES7 Training day £2,500 including training materials ES8 Sample bundled Services Package for adoption of single module (8 days implementation support plus super user and standard day training). £12,600 including training materials ES9 eAuction managed event Market Operations Centre support (Up to 10 suppliers, dummy event support, live event support and reporting, excluding consulting) £3,000 Commercially Confidential PAGE 10 Training and support options quoted above are for payment in advance. Please refer to BravoSolution for alternative payment models (eg. monthly in arrears, combination services etc). Service Management and Service Levels The SaaS web-based applications are delivered through a tried and tested technological infrastructure that has proven to be highly stable, scalable and secure. The solutions are centrally hosted and managed providing the following benefits: No need for risky, costly infrastructure setup and roll-out which often result in delays and technical incompatibilities Scalability due to optimal dimensioning of all subsystems and components (storage, webservers, bandwidth etc.) within the service delivery architecture throughout the life of the project Increased overall security of infrastructure and procedures since all potential security threats are constantly monitored and preventive/corrective action taken accordingly. This innovative method of delivery of software applications is commonly referred to as “Software as a Service” (SaaS) deployment. Customers choosing our SaaS eSourcing solution do not require to invest any resources in additional HW/SW or IT staff to install, run, mange or upgrade the software solution. Under this model we are responsible for the following activities in accordance to strict contractual service levels: System setup and configuration Hosting (HW and connectivity) Custom strings/messaging System maintenance All base SW upgrades Nightly data backup Usage logs System performance monitoring Business continuity and disaster recovery (tested annually in accordance to BS25999) Security (all relevant security protocols with yearly third-party penetration testing and security accreditation) We have one of the most advanced multi-tenant application delivery capabilities. The organization is in a position to leverage the true benefits of SaaS while providing the highest standards of service in terms of security, availability and performance required by the most demanding customers in the market. There are no technical capacity constraints on the use of computing resources. Technical infrastructure envisioned for the project provides all necessary technical resources to adequately address the Customer requirements for global deployment of the solution. Commercially Confidential PAGE 11 The table below outlines some of the key characteristics of our Software as a Service (SaaS) offering Storage Limitations User file upload constraints System availability Set by Customer 99% (minimum monthly measure – excludes planned maintenance window) System response time Less than 5 seconds in 95% of typical use cases (ref direct connection to platform – excludes public network or client related lag) Back-up and recovery Included Encryption SSL 128 Maintenance/Patches/Upgrades None Conducted during weekends only – min 2 week notification The service is administered by BravoSolution /QinetiQ Commerce Decisions staff, all of whom carry SC clearance. Management includes setting up new customers and – where requested – managing the user accounts and password resets. It is possible for customers to self serve once they have been configured for access. Customers have access to a Help Desk that operates 8am to 6pm Monday to Friday excluding UK public holidays. We offer telephone support backed up by a dedicated support email address. The service operates in a Tier 4 data centre with 99.995% uptime Service Level Agreement. See Financial Recompense below. We have never failed to achieve these figures. The software is updated on average twice per year. For this and any other maintenance work, customers receive a minimum of two week’s notice and all work is undertaken during weekends in order to ensure minimal disruption to the service. Typical system downtime for planned maintenance is maximum 8 hours. In the event of a major change to the service, a planned full weekend shutdown will be scheduled. In this instance, customers will receive at least 6 week’s notice Please note that such an event is highly unlikely. Software changes are designed and planned in consultation with our customers and services teams via account manager interaction and via customer user groups. Our policy with software updates is to ensure there is no impact to the customer’s experience, nor degradation of the service when an upgrade is applied. All new features improvements are built to be additive and customers can choose to start using them at a time of their choosing. A release note is issued to all customers outlining the additions and changes to the software at least 2 weeks prior to rollout In the event of a release with significant new functionality we will run awareness programmes and training sessions well in advance of the release date. Customers are informed of proposed new functionality upgrades through official product management communications, user forums and user groups. Commercially Confidential PAGE 12 The service is monitored by in-house and third party monitoring software that sends administrators email and SMS text alerts of issues. These include any failure or inability to connect to the service and performance degradation. All updates to the service infrastructure are tested in our DR site prior to live rollout and subject to robust and rigorous QA processes aligned and certified to best-in-class ITIL v5, ISO 9001 / ISO 27001 methodologies. All software updates are fully tested using an extensive set of automated, manual and performance tests to ensure that there is no degradation in customer experience. Financial Recompense Unless otherwise agreed, standard terms and conditions apply. See attached. Information Assurance BravoSolution is an ISO9001 accredited organisation for the delivery of web-enabled supply management solutions through the Software as A Service methodology. The services is accredited to ISO 27001 and CESG Impact Level 3 (IL3). It can carry information up to and including UK Government RESTRICTED. The service has a full RMADS which can be supplied to any accreditor upon request. The service carries an accreditation by the Government Procurement Service which has been reviewed, re-assessed and renewed annually since 2005. The current IL3 Accreditation Certificate is attached and available at: https://www.bravosolution.com/cms/uk/company/accreditations . Note that the hosting infrastructure is provided by Telehouse to IS27001. Administrators operating the service carry UK SC clearance, clearance numbers and expiry dates can be supplied on demand. Administrators comply with operational polices in relation to management of the service, covered by the RMADS and other policies such as Incident Management. Key data and documents are encrypted on disk and cannot be viewed by administrators. We treat our customers as the Data Controllers and ourselves as Data Processors under the definition of the Act. Whilst the service does not hold sensitive personal data, it does contain audit trails which define the actions of its users and such data is treated as covered by the Act. Backup and Disaster Recovery The Service is delivered via a UK-based Tier 4 (under the TIA-942 definition) primary data centre with the highest available levels of redundancy and fault tolerance. The primary data centre has live and failover systems, the failover being an exact replica of the live application stack. There is live data replication such that in the event of loss of any primary parts of the infrastructure, it is possible to failover with no loss of data. A physically separate Disaster Recovery (DR) site is located in a UK-based Tier 4 data centre. This also carries live replication of data via a secure network connection. In the event of the Commercially Confidential PAGE 13 unrecoverable loss of the primary data centre, the DR site can be activated with minimal loss of data (one day at the most, with a probable-case scenario of zero to one hour loss). Data backup includes the backup of the binary database log files that record every action in the service life – this is permanently retained. In addition a daily and weekly backup and retention cycle is used to provide specific backup points. The combination allows for restoration and fast recovery of customer data to any point in time (down to day/hour/minute/second) in the service’s life. Backups are held electronically and offsite backup is achieved by replication to the DR site using the secure network connection. Data never leaves the secure data centres and there are no tape backups. All backups are 128-bit encrypted. The system conforms fully with respect to provision of a system to Impact Level 3. Evidence for this lies in the Service holding a Risk Management Accreditation Document Set (RMADS) for the system to Impact Level 3. We can make the following statements with regard to compliance with HMG Guidelines for systems handling information at Impact Level 3: Security The Service undergoes an annual IT Health Check as part of development of its Accreditation Documentation set Data is stored in a highly protected and secure data centre and servers and access to the data is controlled through strong username/password based access mechanisms as covered earlier in this document. Administrator access is restricted to a limited group of operators all of whom have SC level clearance or are in the process of being SC cleared. Administrators are not able to ascertain details of that data or documents held in the service, as covered earlier in this document. All user transactions are logged via audit trails and database binary logging with logs identifying individuals by unique ID, allowing for forensic level analysis of user actions if necessary Confidentiality The Service can support electronic signature and receipt of critical transactions such as submission of documents or bids. A data protection policy exists to ensure protection of data held about the actions of individuals. An Incident Response Plan exists to respond to any perceived or real threat or security or related incident on the service. The plan has been developed with a CLAS consultant and all key staff to whom plan relates have undergone training. A copy of this can be made available on request. An intrusion detection system and routine monitoring of log files are used to identify any attempted attack or threat of attack. Availability The Data Centre and hosting environment behind the service provide a 99.9% uptime guarantee backed by service level agreements with the data centre supplier The Data Centre provides redundant power supplies and redundant internet connections to guard against loss of service by localized power telecommunications failure. PAGE 14 Commercially Confidential Uninterrupted Power Supplies will ensure that servers cannot go down and diesel based power generators exist to provide long term power in the event of a lengthy power shutdown. The hardware providing the service is built with dual redundancy in all hardware elements. For example each server has two network cards and cables, each connected to a different network switch such that no single component failure can disrupt the service; a backup always exists. The primary service cannot be disrupted unless several different hardware elements undergo simultaneous failure. The service is delivered in a multi-tier environment. Web servers exist in a DMZ which is separated by a firewall from the main servers. Application Servers and operating systems are separated from data storage. To ensure against disruption or loss, data is stored on a Storage Area Network (SAN) with the hardware redundancy described above. All SAN disks are configured in a RAID-1 format such that data is replicated to two disks. Loss of a single disk cannot lead to loss of data. The SAN has a number of ‘redundant stand-by disks’ – if any single disk fails, a stand-by disk will immediately replicate from its ‘sister’ disk and bring the system back to full redundancy. Several disks have to fail before redundancy is compromised, never mind data actually being put at risk. Hardware service agreements ensure prompt replacement of any failed components bringing the system back to full health. The primary data centre carries an exact replica or ‘failover’ of the Service’s primary infrastructure to which data is replicated in real time – in all three tiers, web server, application servers and SAN (data storage). In the event of a drastic loss of the primary service the failover service can be activated with no loss of data and no loss of capability. A Disaster Recovery instance of the service is located in a data centre in a different physical location from the Primary Data Centre, to handle a one-in-a-lifetime event such as loss of an entire Data Centre or infrastructure. A dedicated network link between the 2 data centres ensures both protection of data in transit and their real-time replication. The above is backed up by a document Business Continuity Plan (BCP) which identifies roles and responsibilities and tasks to be undertaken to ensure either failover or disaster recovery. The BCP also covers plans for other elements of the Service including for example continuation of Help Desk and Consultancy services in the event of disaster affecting other parts of the business. Data is backed up incrementally and through a program of daily and weekly backup points to allow for data recovery if customer actions such as inadvertent deletion lead to loss of data. Backups are stored to disks using Network Attached Storage – a mechanism that is far more reliable than magnetic tape. The NAS also carries redundant hardware and disk configurations to protect against loss through hardware failure. Backup data is replicated to the Disaster Recovery data centre. Monitoring and Audit Our platform is designed with an extensive array of activity logging features ensuring that every element of activity is properly accounted for. Tracing is performed on a continuous basis for all system activities as well as user actions including sellers, buyers and BravoSolution support personnel and recorded by unique user id. A time stamp is associated with each record being logged. All logs are compressed and archived indefinitely providing our team and our clients with the capability of re-tracing system activities going back to months or years. Commercially Confidential PAGE 15 Access to system logs are strictly controlled and limited to IT Management personnel who are authorized to view and analyse the information behind a written request by a claimant and by adhering strictly to our internal code of conduct on the matter. The extent and nature of the logs, including database level binary logs, replication and access restrictions on logs ensure that no one person is able to alter the accounting log files. Database binary logs and incremental backups ensure that data transactions can be forensically examined if necessary including recovering of systems to a point-of-time. Log files are regularly monitored, primarily for the purpose of spotting untoward behaviour such as attempts to hack or bypass system security. All systems are automatically and continuously synchronized through Network Time Protocol (NTP) to GMT. This is critical to ensuring the usefulness of our pervasive logs to the extent that the company is able to effectively and accurately determine cause-andeffect diagnosis. This is also a requirement in certain Government regulations to the extent that the service must guarantee proper synchronization with an “official” third party time provider. Data Centre The Service is hosted in a data centre managed by Telehouse located in London. This has the following attributes: The Data Centre carries a ISO27001 certification and has achieved a level of 0 (zero) nonconformities identified Access to the data centre is restricted to authorized personnel who must provide appropriate photo-id based credentials to gain access. Physical access to the data centre is monitored and a register of access maintained. Access to restricted areas within the data centre are controlled by security access cards and codes The data centre carries 24/7/365 on site manned security and has a state of the art closed-circuit camera system both outside and within the data centre The servers and racks that deliver the Service are not labelled and are not identifiable except to limited set of personnel responsible for the management of the Service The server racks are protected by a key lock system and a combination lock There is a fully redundant power supply with full balancing of the lines in order to guarantee power supply continuity in case of critical path failure through two 2MVA generators in N+1 configuration Data centre temperatures are constantly monitored and maintained at 21 °C +/- 3° and relative humidity maintained at 50% +/- 10% Colt Telecom are Europe’s premier telecommunications provider with over 11 ISC’s and a 20,000 km fibre optic network connecting 32 major European cities. The Data Centre has multiple internet connections with redundancy built in against failure of any single internet connection or provider. Data Integrity The integrity of the Service and all data held within is provided as follows: Virus Protection – a Gateway level state-of-the-art protection system updated every 4 hours scans all incoming and outgoing data (web traffic, emails, attachments/documents Commercially Confidential PAGE 16 ...etc) to protect against compromise by virus. In addition all servers carry a further level of virus protection using latest technologies. Management of the system is limited to an identified set of individuals all of whom carry SC clearance in line with Impact Level 3 requirements. These individuals access the system either directly through the data centre or through a restricted and secure Virtual Private Network. All key pieces of information that might identify the purpose of a project or decisions being made are encrypted in the database such that no operator can gain knowledge of the purpose of that data whilst performing management and maintenance activities. All documents held in the system have their names obfuscated such that it is not possible to determine the purpose of a document. The contents of the documents are also encrypted. There is no mechanism within the service itself or its technical infrastructure to view, modify or affect the contents of any document. Documents can only be viewed and replaced by users with login and security access through the Service and by its application security and business logic. Access to the applications provided by the Service is controlled through secure HTTPS/SSL based access and users are authenticated through use of unique usernames and strong passwords. An authenticated user’s access is further controlled by application security logic based on the user’s role within the system. Customers also have the option of using two-factor authentication – that is, in addition to the password, the user must be in possession of a physical certificate or (using OATH based authentication protocols) generate a one-time login key that must be supplied to the Service as part of their login. The Service is capable of supporting document digital signature process in which the authenticity, confidentiality, integrity and non-repudiation of documents are maintained during all exchanges among users (buyers and sellers) involved in eAuction activities. The service has in place a Network Intrusion Detection System (NIDS) setup for detecting any attempt to break into or misuse the technology involved in the delivery of the Service. The Network intrusion detection systems (NIDS) monitors all network traffic (packets on the network wire) and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). The Service carries an array of activity logging feature whereby every action or operation performed by any user is tracked and logged with a timestamp and id of the user performing that operation. This information is archived indefinitely and can be used to trace activities months or even years in the past. Access to logs are strictly controlled to who are authorized to view and analyse the information behind a written request by a claimant and by adhering strictly to our code of conduct on the matter. The Service has a minimal external system exposure. A hardware firewall ensures that only those components (web servers) strictly needed for contact by the outside world are accessible from the public internet. All other ports and servers cannot be directly accessed. Internal firewalls further protect application and database servers from intrusion. The Services undergoes penetration testing. This is carried out for the development of the Impact Level 3 Accreditation Document Set and also by independently of this using the service of ‘white collar’ hackers – industry experts who ensure that the service cannot be compromised. A high level of physical security exists within the data centre to protect against physical access to the servers housing the data. The data centre carries 24 hour manned security and state-of-the-art closed circuit monitoring systems. Only persons on an authorised list are granted access to the servers and the secure areas of the data centre are Commercially Confidential PAGE 17 protected by access doors requiring electronic cards or codes. The server racks are further protected by combination security locks. Access to the servers is protected by strong passwords which are available only to authorized Administrators. Technical Policies and Procedures The service is operated through a set of policies and procedures made up of the following elements: Access to the IT infrastructure of the service is restricted to identified individuals with clear roles and responsibilities all of whom carry SC Clearance in line with Impact Level 3. In order to access the data centre, these individuals must be on a register of nominated administrators and present Government issued photo-id as proof. In addition to that physical measures to protect against the loss of services, a Business Continuity Process exists for ensuring continued delivery of the service in event of disaster. This covers both the application platform (for example loss of the primary data centre) – but in addition covers all aspects of our service delivery model An Incident Management Plan exists to ensure that BravoSolution and its subcontractors deal effectively with any security or other incidents identified by it or reported to it We routinely monitor all elements of its IT Infrastructure for patches, particularly those related to security improvements or new industry standards and these are routinely applied to ensure continued integrity of the service Buyer and supplier support, adoption and ongoing support programme delivered as specialist cloud services BravoSolution deliver a comprehensive support desk support system that is available 08.00 to 18.00 – Monday to Friday (excluding UK Public Holidays). In addition to this we offer comprehensive training and support services. Our consulting service provision provides through-life support for all levels of adoption issues from supply management tool support to the provision of the intellectual support required to provide expert advice to the most significant procurement exercises in the UK public sector. Our knowledge and provision is backed up by an extensive, blended training programme covering both best practice and use of the software through classroom and online channels. Our software has been designed to be easy to use, our performance response times consistently meet and exceed those required in GPS frameworks. It is our policy to resolve any queries/issues as soon as possible following receipt of a call. Generally calls are resolved within that initial call. Any issue that cannot be resolved on the first call is immediately directed to the appropriate team for resolution. Outstanding customer support calls take priority over all other work within our operations team. Any issue not resolved within two hours is escalated through agreed escalation issue resolution protocols. The customer will be updated of progress on a regular basis. Through a ‘hands-on’ approach, supported by tutorials and interactive classroom teaching, our training courses give attendees a practical working knowledge of the key capabilities from all perspectives/ Commercially Confidential PAGE 18 We can provide bespoke support to individual projects or organisational rollout, as required by the customer. BravoSolution offers all the training courses and certifications necessary to enable your user base to obtain immediate value from BravoSolution’s applications. Our educational services offers both fundamental and advanced courses, providing a quick and easy means to get users started while at the same time giving them opportunity for more advanced training to maximize the benefits accrued from using the application. The program leverages blended learning technologies, a combination of classroom and online products designed to provide education and assessment to students at the time these services are needed. An example of some of the training available surrounding one of the available modules, eEvaluation: Taking procurement evaluation as the most commonly delivered example: The eEvaluation practitioner course addresses evaluators, team leaders, project managers, project administration staff and decision-makers. It provides the grounding to allow them to undertake all those day-to-day activities delivered to them within the eEvaluation service. The evaluator users will be trained to evaluate proposals, submit clarifications and to access documents in eEvaluation and manage RFP and proposal documents. This is most commonly achieved via a briefing rather than classroom training. It is recommended that administrators and project managers undertake more comprehensive training, to include activities such as eEvaluation configuration, implementing evaluation models in the eEvaluation tool, setting up users and their responsibilities, managing RFP and proposal documents and reporting. BravoSolution / QinetiQ Commerce Decisions also supports the organisational rollout of eEvaluation with the provision of Train-The-Trainer workshops - these allow us to equip key customer personnel to gain a more in-depth understanding of eEvaluation in order to support internal users. In addition, the eEvaluation capability can be delivered in re-usable templates, reducing the training overheads and total cost of ownership to our customers. Process/domain training has built an unparalleled level of expertise in the areas of bid evaluation and contractor downselection, having supported projects totalling in excess of £60 billion. Various best practice training is available – this is tool/service independent but is often delivered as part of the project or organisational rollout plan for the eEvaluation service. We can provide bespoke support to individual projects or organisational rollout, as required by the customer. These services include: Development of the evaluation plan Facilitating criteria development and weightings Commercially Confidential PAGE 19 Conducting pre-evaluation sensitivity analysis Facilitating evaluation dry-runs to validate and optimise the approach Development of appropriate scoring scales for the technical, commercial and soft-issue criteria Conducting post-assessment sensitivity Production of evaluation reports Conducting bidder debriefings, with appropriate justification and traceability to the bid documents Implementation of the all aspects of the eEvaluation tool, ensuring time savings and quality benefits with minimal learning curve Organisational deployment support We can also provide more embedded, long-term support to the customer, as a manager or facilitator of the supply management processes. In this scenario we would join your team for an agreed period, and facilitate the process, bringing together many services into a cost-efficient package. This enables the project teams to focus their domain expertise. Sample training option summary: Evaluator Briefing, Bespoke and Standard: For customers who wish to adopt eEvaluation whilst making use of support from BravoSolution/ QinetiQ Commerce Decisions to configure the software for the specific procurement project we offer evaluator briefings – a short training session designed to allow the (potentially large group of) people involved in a supplier evaluation how to make effective use of the software. There is a standard version, and a bespoke version, the latter being tailored to the project’s requirement. Training day: These can be used to support procurement activities as required by the customer. For example, a customer may wish to make use of the existing built-in templates (or in modified versions created for individual customers) – we offer template-based training to the smaller number of evaluation managers who will be involved in configuring the software for a supplier evaluation. eEvaluation Practitioner, Bespoke or Project: For customers who wish to be able to make more extensive use of the features of the software to configure and / or administer projects requiring a more bespoke configuration we offer eEvaluation Practitioner training. There is a standard version, and a bespoke version, the latter being tailored to the project’s requirements. On-boarding BravoSolution/ QinetiQ Commerce Decisions has a 13-year track record in delivering the Service and supporting consulting, training and account management to our customer base in UK Public Sector. The last six of these have been as a provider on the GPS eSourcing Managed Service/Framework. A customer wishing to place an order will be contacted by an account / administration manager. On agreement of the level of service required, an order may be placed via the catalogue. An implementation plan can be agreed, where relevant, to include the necessary training or support services. Service activation occurs on receipt of a valid order, unless otherwise requested when creating customer specific configurations etc the customer nominated points of contact are issued with Commercially Confidential PAGE 20 usernames and passwords, and given access to the service in a dedicated account. Licence extension or modification is also agreed via the account manager and licence changes can be applied within minutes. Upon activation of the service, customers have the option of administering the service themselves, or using the BravoSolution Help Desk for basic administration tasks depending on the support / delivery options adopted. Support/training services can be purchased for assistance in the management of the system whilst executing projects. Where consulting has been purchased, an agreed plan of work will begin with the appointment of the lead consultant and, if required, a kick-off day to initiate the project. The nature of the support required by customers is wide-ranging and varied. Customers can choose from a set of available training, support and consulting programmes (see sample training section above). Alternatively, BravoSolution /QCDL can put together a bespoke programme of support to address any specific requirements of the customer. Many customers choose to use a Kick-start package of training and support to enable them to rapidly adopt and deploy the software on a specific project. This package is based around the use of one of the pre-configured templates and assumes that the customer will be undertaking the configuration of the software with the training and support included in the Kick-start package. Where the nature of the project is such that the built-in templates are not appropriate, or a customer wishes to outsource the configuration of the software a bespoke templates can be configured, and/or a package of support can be provided. Imports of data are through standard web-interfaces and exel / csv formats. Offboarding and Termination Customers can sign up on a project specific or time expiry based licence with a given number of users. Customers have the ability to export data in Excel or HTML format and extract documents from the service if they wish for backup or archival processes. On expiry or termination of a licence, the data may be made available to the customer in read only, restricted IP address access format. This additional access can be agreed prior to / on contract termination. Additional read-only access maybe agreed beyond framework/contract termination – actual terms to be agreed on a case-by-case basis. Data Restoration/Service Migration See Backup section above for BravoSolution’s backup policies. In the event of data loss it is possible for restoration of data to any point in time using the data backup and archives. Data is recovered in the DR site and then transferred to the live site. A charge may be levied for data restoration service if extensive recovery work is required as a result of the data being lost through the action of the customer. Commercially Confidential PAGE 21 If the customer wishes to transfer data to an alternative service they are able to extract documentation held via ZIP based export and extract other data in either HTML or Excel format. Trial Service During account initiation (see Onboarding) a trial service can be set up for the purposes of proving infrastructure and accessibility. There would be no charge for this. Commercially Confidential PAGE 22 Response to Detailed Questions Below is a table outlining how our service meets specific criteria. Features Q-G06 Q-G07 Our Response The service is run from a secure data centre and Networks to which the accredited to handle data to Impact Level 3. It is not service is connected connected to any other network. Access is over the (directly)? internet using HTTPS with the connectivity compliant to Manual T. API access is available, documented and supported as part of the standard BravoSolution Integration Module (BIM), this fully documents a series of open standard 'API' access available, web-services via the https protocol. documented and Please also see attached summary document: supported? “BravoSolution SaaS Suite - Integration Services.pdf” and “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” Q-G08 Open Standards supported and documented? Q-G09 Open source software used and documented? Commercially Confidential Standards supported within the application are based on pragmatic real-world customer requirements. BravoSolution’s enabling technology is entirely based on open standards such as Linux, JSP (Java Server Pages), JavaScript, J2EE (Java 2 Enterprise Edition), HTML, XML, XSL, MVC (Model View Controller), JDBC, JAKARTA STRUTS. This ensures full compatibility and seamless interoperability of each component of the system architecture with the best available web-based technologies throughout their rapid evolution in time. We have invested significantly in the development of functionalities based on Service Oriented Architecture (SOA) aimed at improving the interoperability of the e-Procurement technology with external platforms (client ERP or other business systems). The company has already developed a set of Web Services able to securely connect the various modules within the application to external system both, during component set-up phase, and when extracting data from negotiations’ archives. We make use of Open Source software. Documentation is available on the components and 3rd party applications that are used. We can provide this on an as-needed basis. BravoSolution’s enabling technology is entirely based on open standards such as Linux, JSP (Java Server Pages), JavaScript, J2EE (Java 2 Enterprise PAGE 23 Edition), HTML, XML, XSL, MVC (Model View Controller), JDBC, JAKARTA STRUTS. This ensures full compatibility and seamless interoperability of each component of the system architecture with the best available web-based technologies throughout their rapid evolution in time. See also “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” Service Management Q-G10 The service is in a secure data centre and accredited to handle data to Impact Level 3. It carries an RMADS Technical which identifies the technical boundaries and fully boundaries/interfaces of documents the risks, mitigations and residual risks. the service documented? Please also see “BravoSolution SaaS Suite Infrastructure and Information Assurance.pdf” Services available to other suppliers so they Q-G11 can use them to provide services to government? We do work alongside partners in delivery of the service and associated support/consultancy services as part of a wider offering and are open to working with additional government suppliers in this way as needed by particular customer(s). Examples include BravoSolution Integration Modules, SSO provisioning etc. Q-G12 There is a simple onboarding process - our account management / administrative team provides an interface to customers and will determine licensing needs and provide quotations and license sign off. Once this is done, a customer account can be switched on and made available in a matter of minutes, where an existing un-configured solution is chosen. As part on-boarding process e.g. of the service provision we provide a business-hours moving on to the service? Help Desk and consulting services to provide either training, ramp-up or "run the system for you" services to assist customers in deploying use onto individual projects or cross-organisational rollout. To enable quick adoption, our services include Template and "Kick Start" packages allowing customers to achieve success quickly and with low levels of investment/cost of ownership. Q-G13 Customer data may be held online in IP access restricted, read-only format to be interrogated by the SaaS on expiry of licenses. This service is provided to off-boarding process e.g. the original contracted service levels and security moving off the service? protocols and is available at a chargeable rate. Customers freely can extract data in Microsoft Office and HTML formats as well as extract any documentation stored on the service. Q-G14 Data extraction/removal Confirmed. Extracted / removed / destroyed inline with Commercially Confidential PAGE 24 criteria met? customer requirements. See above Q-G13 and “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” Q-G15 The data is run from highly secure (Tier 4/TIA-942)) UK Data processing and data centres. There are two data centres, a Primary storage locations and Disaster Recovery. The two are connected by a defined? secure data link. There is no off-shoring of data. An RMADS and accreditation to IL3 exists. Q-G16 We provide the service from our UK located data centres - the service is accredited to store data to Impact Level 3 and the security implications mean we Data location option can provide a fixed and closed service. Options for other be defined by user? locations are not provided although we are amenable to supporting internal installation within customer locations or on alternative hosted infrastructure if this desirable to the customer. Q-G17 This is not applicable. The service is in a secure data Data held in Safe Harbour centre and accredited to handle data to Impact Level 3 (if applicable)? and all data including DR is stored entirely within the secure UK data centres. Q-G18 Q-G19 Data centre(s) used adhere to best practices described by the EU Code of Conduct for Data Centre Operations? Data centre tier? Q-G20 Support boundaries/interfaces of the service documented? Q-G21 Service roadmap provided? Commercially Confidential Our data centre provider is compliant. It holds an ISO 27001, ISO9001 and ISO4001 accreditation as proof of compliance with Environmental and Carbon Trust Standard guidelines and meets or exceeds these guidelines Tier 4 under TIA-942 definition Yes. “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” and “BravoSolution SaaS Suite - Integration Services.pdf”. In addition, we run a Business Hours Help Desk based on telephone and email support. There is clear separation of Service Administration and Customer Support roles and operational policies in place for the support we offer and interaction with customers. Our Support team is responsible for providing software support and help with use of the software to achieve particular goals. Our Services team is responsible for providing best practice advice and support to customers and for executing projects on the customers behalf. Our package definitions, engagement and project management approach with customers clearly identifies the organisational support roles they can expect from us and delineates areas of responsibility. Yes. In addition to below, also see . We work with our customers to define customer and market requirements and changes to the software to meet those requirements. This is via individual contact with our Help Desk and Consultants and via User Groups/Forums. All changes to the product are PAGE 25 • • Q-G22 carefully specified and built to ensure no operational change to existing data or end-user experience. The product release cycle includes early notification of planned features, formal release notes delivered to customers prior to rollout and advanced warning of any downtime to provide system updates. All planned downtime is carried out outside of UK business hours. Examples: • Strengthen Negotiation Model • Worksheets • Usability Aesthetics Improve VRM • Scoreboards • Optimization • Document Level Savings • DIY Customer Reporting • Threshold Based Workflows • Aggregated Projects • Glance based object status • UI Improvement Findings* Improved support for output to Microsoft Office formats Revamp of the graphical output to support developments in browser technologies Improved controls for user specified output content and layout Ongoing improvements to support new/updated browser technologies and security considerations. Yes. We have a series of quality assurance and system performance/load goals and formal specifications of how these will be met. These are tested and verified at each release under ITIL V5 methodologies - each release cycle will also update these attributes to account for new features or other changes to the service. Service performance attributes are well defined and Performance attributes cover availability, response times, querying speed etc defined and in the service definition. documented? Our design aim is to provide end user response times of 4 seconds or less for all major operations given a broadband level internet connection. We use a Tier 4 data centre with a high level of internet connectivity and capacity to provide the backbone to deliver this. To ensure we achieve targeted performance levels we benchmark all server side operations and these form part of an acceptance load test. Prior to each release the service is tested under Commercially Confidential PAGE 26 simulated loads that exceed those experienced in Production systems and at each release we ensure no degradation against performance; taking any remedial action that is necessary. Additionally we monitor production system performance to ensure target loads are achieved Q-G23 Q-G24 Q-G25 Q-G26 Q-G27 Q-G28 A full backup and disaster recovery policy is in place. Backup & Disaster This is documented in the Service Definition and see Recovery? “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” We provide a telephone based Help Desk between 8am to 6pm Monday to Friday, excepting UK Public Holidays. Email based support is also available at these times. We also provide training and specialist Is a support service consulting services which often form part of the provided and customer engagement with us. The service is made documented? available to all active licence users through dynamically available web-pages and includes contact detail updates (such as telephone number, email, web-call me back etc) available times etc. Customers are able to access real time information about various aspects of the service to manage project and organisational usage of the system, including realtime application reporting. Within the constraints 'Real time' management of the security accreditations and compliance with information available? Data Protection we often additionally provide specific summary information to customers. Detailed information about user actions are logged, but only divulged in compliance with Data Protection guidelines. Yes – various options in this area are available. However, the service is most commonly billed in Reports include each advance, so not routinely provided. Bills will generally billed unit? indicate the units and numbers of units purchased/delivered Whilst self-service provisioning / de-provisioning is Self service available, the specialist nature of the service and the provisioning/despecific audit trail requirements means that most provisioning? customers do not take advantage of this approach. Minutes to set-up new users / provisioning / deprovisioning on self-service basis. In addition, frequently customers work with our account management team to agree licensing and Indicative time for delivery approach. Following receipt of purchase provisioning/de- order, it is possible to activate the service for a provisioning customer in a matter of minutes on our SAAS documented? foundation. We have a series of predefined packages for self-service (with training) or consulting led use ranging from project specific to organisation wide rollout of the service. We work with customers to understand their needs and provide a suitable standard Commercially Confidential PAGE 27 or custom model. User competence is obtained in anything from 1 hour (for simple access) to several days training and some weeks experience (for more complex configuration tasks). Q-G29 We use internal and 3rd party monitoring of the service. Internal monitors assess the performance of the various elements of the service from database 3rd party service through to web servers against defined thresholds and monitoring tool access? notify administrators of any issues. 3rd party monitoring of the service from remote locations will identify availability, response times and any downtime and inform administrators via email and SMS. Service Desk can be used Yes by mutual agreement. BravoSolution has provided by 3rd party suppliers for Q-G30 other support service desk services for SaaS solutions their services - e.g. small including SAP, sell2wales and others. SaaS provider? Commercial The SaaS modules are typically priced on an individual unit based pricing model, by module, number of users and usage timescales. Frequently the service is often priced on an annual, per user, pricing model. Many Unit based pricing Q-G31 other models are available and will be selected and model? depending on the nature of the engagement (project – SML, organisational SML etc) .Please refer to the pricing tables in the Service Definition for more detail or BravoSolution for the most appropriate option. Aggregated billing Yes, the service billing can be aggregated across Q-G32 options? accounts or multiple users / cost centres in an account. One month for individual unit based pricing in addition Minimum Contract/Billing Q-G33 to existing minimum one year contract. One year for Period? large scale, customer specific configurations. Q-G34 Free option? No Yes in certain circumstances – refer to ‘Trial Service’ in Q-G35 Trial Option? the Service Definition Commercially Confidential PAGE 28 No. Customer data may be held online in IP access restricted, read-only format to be interrogated by the SaaS on expiry of licenses. This service is provided to Termination costs ? the original contracted service levels and security protocols and is available at a chargeable rate. Customers freely can extract data in Microsoft Office and HTML formats as well as extract any documentation stored on the service. Supplier contract terms Contract terms are under English law. jurisdiction? Payment Options? Purchase Order, Credit Card, BACS Q-G36 Q-G37 Q-G38 Clients The software supports all version of Internet Explorer from Version 6 onward and Firefox. Other browsers Web browser interface? such as Chrome and Safari and those on mobile devices can also be used, however are currently undergoing official support accreditation. Q-LOT3-1 Q-LOT3-2 Q-LOT3-3 Q-LOT3-4 Q-LOT3-5 The software supports all version of Internet Explorer from Version 6 onward and Firefox. Other browsers Supported web browsers such as Chrome and Safari and those on mobile devices documented? can also be used, however are currently undergoing official support accreditation. Details of other thin There are no other client requirements, only a web client modes browser is needed. documented? Other client software As above documented? The software CAN be accessed from Smartphones, but due to the nature of the application there is not currently customer demand for Smartphone access and Smartphone Access? this is not currently formally supported. This is reviewed regularly to assess whether future support is required. Q-LOT3-6 The service supports off-line working through the use of export / import routines with standard MS Office templates such as excel. Users can download to MS Off-line working & Office applications, work on the content and upload synching? into the application. Full document management capabilities, such as checkin, check-out, version controlling, freeze etc are supported. General Features Commercially Confidential PAGE 29 Q-LOT3-7 Attachment support? Q-LOT3-8 Anti-virus protection? Q-LOT3-9 International Language Support? The service fully supports the ability to load documents - its primary purpose is support the supply management process, including significant requirements for access to and evaluation of specific information documents, such as bids, supplier information etc. It has full attachment support of any type of document/file. The service has full Anti-Virus protection. Also see “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” The software is capable of operating in any language including far-eastern multi-byte character sets. The captions and online help system within the software can also be translated into any language including fareastern multi-byte languages. Currently the solution is available translated in English, German, Italian, Spanish, French, Dutch, Chinese, Welsh. Q-LOT3-10 Yes, the service is supported by workflow facilities relevant to the conduct of supply management activities. This is delivered through embedded module Workflow facilities? capabilities and the programme management module, and includes approval processes, information capture, assessment, pre-requisites, dependencies, task promotion etc including alerting, messaging. Q-LOT3-11 Yes, taxonomy structures may be created within the service, or imported from existing offline tools, such as Importable taxonomy? MS Excel. BravoSolution has supported the definition / import of taxonomies with ~6levels and several thousand individual ‘leaves’. Q-LOT3-12 Q-LOT3-13 Folksonomy is currently supported within the online community BEN including cloud tagging etc. As above. The facilities include assignment to various modules within the same or different taxonomy Taxonomy facilities? structures. BravoSolution also provides services to support taxonomy definition. Folksonomy support? Q-LOT3-14 There are no significant integration requirements leading to the need for plugins or extensions. The plug-in / extension service is internet facing and offers the ability to ready? manage data to Impact Level 3 (RESTRICTED) and has extensive firewall protection. For security reasons we rarely not make use of plugins/extensions. Q-LOT3-15 plug -in / extension See above – not generally applicable marketplace? Commercially Confidential PAGE 30 We make information available to publicly required advertisement notice sites via web-services / xml Syndication? standards. Generally other supply management activities are not made available elsewhere. Q-LOT3-16 Native search? The service supports native search of information input into the service. Q-LOT3-18 Native support of bulk input / export of data & meta-data in standard formats? BravoSolution supports import / export of data and meta-data through pre-defined formats and routines. These include contract header information, supplier registration information etc from MS Excel standard template formats. Mass document uploads may also be imported from standard routine formats. Q-LOT3-19 Link Management? Q-LOT3-17 It is possible to enter links to either data within the service or to any external and accessible web content. Business Continuity Q-LOT3-20 Separated environments: Publishing / Editing / Search? Q-LOT3-21 Caching? Whilst the breakdown in the question is not strictly applicable to our service, we have a complete DR facility in place with real time data replication to a physical separated UK DR data centre. This is described in our Service Definition. “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” As above - live replication of data to a DR site. “BravoSolution SaaS Suite - Infrastructure and Information Assurance.pdf” Authorisation, Authentication and Personalisation Q-LOT3-22 Q-LOT3-23 Q-LOT3-24 The service has pre-defined SSO web-services available for integration identity systems, including automated Integration with Identity user provisioning where applicable. This typically Systems? requires customer specific definition and implementation, particularly in the context of the existing IL3 accreditation. It is possible to record details of users in line with the User profile page? needs of our service. The software has extensive features to provide comments against data that is being collected or Comment on item? processed. These are configurable, with predefined configurations included in templates. Comment facilities include collaborative discussion threads. Integrated Communications tools Q-LOT3-25 Instant Messaging? The service is support messaging between users. Commercially Confidential PAGE 31 Yes. The service supports searching / filtering / supporting of embedded meta-data. The service is developed to provide a robust audit-trail surrounding eDiscovery? all user activities for use in reporting and natively supports eDiscovery activities through the principles of Privacy, Authentication, Integrity and Non-repudiation (PAIN). Yes. These may be imported from other BravoSolution Migration Tools extract formats, or by mass-loading of information, Available? such as evaluation criteria etc in formats such as excel / csv Q-LOT3-26 Q-LOT3-27 Q-LOT3-28 Q-LOT3-29 Q-LOT3-30 Video Conferencing? The service does not support video conferencing. The service supports a restricted network social network called the BravoSolution Education Network Social Networking? (BEN) with embedded blogging, messaging, forums and learning environments. The service supports a restricted network social network called the BravoSolution Education Network Social Networks? (BEN) with embedded blogging, messaging, forums and learning environments. Q-LOT3-31 Calendars? Yes. With integration into other modules. Q-LOT3-32 Contact Management? Yes. With integration into other modules. Q-LOT3-33 Yes. Users of the service are given To-Do lists of projects and tasks within projects based on their user assignments. The system also supports on line and To Do Management? email based alerting - users are alerted to tasks they need to complete and can follow a link that accesses their data via secure login to the Service. User Generated Content Q-LOT3-34 The service supports a restricted network social Solution provides network called the BravoSolution Education Network Blogging capabilities? (BEN) with embedded blogging, messaging, forums and learning environments. Q-LOT3-35 Solution provides wiki The support network / user help is delivered and capabilities? supported via a wiki interface Q-LOT3-36 Solution provides forum capabilities? Q-LOT3-37 Solution provides content rating capabilities? Commercially Confidential The service supports a restricted network social network called the BravoSolution Education Network (BEN) with embedded blogging, messaging, forums and learning environments. Content rating capabilities are not directly relevant to this service. However rating within the context of supply management is available (contract rating, supplier rating, bid rating etc). PAGE 32 Q-LOT3-38 Q-LOT3-39 Q-LOT3-40 Content rating capabilities are not directly relevant to Solution provides content this service. However rating within the context of recommendation supply management is available (contract rating, capabilities? supplier rating, bid rating etc). The service supports a restricted network social network called the BravoSolution Education Network Solution provides social (BEN) with embedded blogging, messaging, forums and media sharing e.g. tweet learning environments. Otherwise IL 3 restrictions this? currently mean no embedded social media sharing currently available, however open to continuing dialogue regarding the relevance. Solution provides Stop word filtering is an embedded feature of relevant automated stop word areas of the service, for example the spend analysis filtering? cleansing suite. Un-listed service Q-LOT3-41 Q-LOT3-42 What is the name for the service (if different from response in "About your Services" section)? Price for most common configuration (i.e. Supplier's best selling or expected best selling configuration)? Q-LOT3-43 Minimum service unit pricing interval? Q-LOT3-44 Is the service Public or Private? Q-LOT3-45 Impact Levels (ILs) at which the service is accredited to process and/or store information (actual or target)? A common unit priced package comprises 5 annual eSourcing £16,320, excluding VAT for a single year. This price includes the annual maintenance charge, which gives access to the Help Desk and product updates for the licence term. 1 year, or part thereof by agreement, for noncustomised solution in conjunction with existing one year contract. 1 year for customised, configured solutions. The service is an internet facing "Public Cloud" service. It is possible for the service to be installed on specific customer sites or as part of a Private cloud installation - this last case would require 3rd party product licenses for dependent products such as the database which would be chargeable. The service is accredited to Impact Level 3 (RESTRICTED) - actual. It carries a full RMADS and is accredited by the Government Procurement Service. The accreditation has been in place since 2005 and is renewed annually. The service is accredited to Impact Level 3 (RESTRICTED) - actual. It carries a full RMADS and is Has the service been accredited by the Government Procurement Service. Q-LOT3-46 accredited? The accreditation has been in place since 2005 and is renewed annually. “BravoSolution SaaS Suite Infrastructure and Information Assurance.pdf” Features How would you SaaS Procurement and Supply Management service Q-LOT3-47 categorise the service e.g. solution Billing / Social Media etc? Commercially Confidential PAGE 33 The proposed solution is based on an off-the-shelf web-based software package from BravoSolution and incorporates over 350 man-years of research & development entirely focused on web-based procurement lifecycle automation. Q-LOT3-48 Component modules include, but are not limited to: A secure Portal Spend Analysis Programme/Process manager module eSourcing module (including eAuctions) Dedicated eEvaluation module (AWARD QCDL) Vendor Management/Profiling module Contract Management Module Short description Vendor Performance Management Module (summary) of the Deployment programme of blended learning & service? education Programme for Buyer and supplier adoption including training and ongoing user support On-demand sourcing enablement and consulting/operational support BravoSolution has more than 400 clients in 30 countries and its supply management software is currently used by over 50,000 procurement professionals worldwide. The company is proud to support a portfolio of leading client organizations including The Scottish Government, Glasgow City Council, L’Oreal, GE Aviation, BBC, NHS Heart of England, PepsiCo, DuPont, Unilever, Welsh Assembly Government. LOT 4 - Specialist Cloud Services Q-LOT4-1 Q-LOT4-2 Yes. Our company provides SaaS and consulting/services team provide specialist support in two areas. Firstly tool support, providing support to customers in use of the suite tool and specialist services such as developing of re-usable templates, Do you provide services guidance and training. Secondly "expert advice" and that support Cloud support to assist customers in designing and services? implementing supply management processes. This is most commonly applied to major procurement exercises resulting in high quality, efficient and legally compliant procurements, particular where compliance with OJEU is needed. Do you provide vendor Our service is not specific to any particular vendor. specific services ? Commercially Confidential PAGE 34 Q-LOT4-3 Q-LOT4-4 Q-LOT4-5 Q-LOT4-6 Q-LOT4-7 Q-LOT4-8 If the vendor(s) have accreditation, are you See above – not applicable accredited? Vendor accreditations? See above – not applicable There are a variety of different pricing/delivery models including both unit priced and resource based. A common unit priced package supports a small to medium sized procurement evaluation and involves up to 8 days plus tool training and assessor briefing. This package of support is referenced as ES1 (eEvaluation Services Package 1) and is priced at £13,600, including T&S and excluding VAT For the purposes of this entry, a small/medium sized If your services are unit procurement evaluation is defined as follows: priced, price for most It does not have a very large number of criteria (i.e. common configuration less than 200) (i.e. Supplier's best selling All criteria apply equally to all bidders (i.e. there are or expected best selling no “lots”, “regions” or “options” to be evaluated) configuration)? A small number of different scoring scales will be used to evaluate the entire set of evaluation criteria (i.e. 5 or less scoring scales) The evaluation will not take a long time (i.e. less than 2 months) Where the evaluation team will comprise less than 15 individuals. Support is focussed on the configuration and use of eEvaluation with the minimum support for preparation and other activities. Yes. Please refer to "BravoSolution SFIA Definitions & Rate Card v1 0.docx" If your services are Please note that the SFIA rates quoted are for 8 hours, resource based, priced as per the SFIA specification. The SFIA rates therefore SOFIA table provided? vary from the STANDARD rates because they have been pro-rated to reflect the additional half hour. Un-listed Service Please complete if your service does not fall into the categories listed below in the Services section What is the name for the service (if different from As per in the "About your Services" section response in "About your Services" section)? The proposed solution is based on an off-the-shelf web-based software package from BravoSolution and Short description incorporates over 350 man-years of research & (summary) of the development entirely focused on web-based service? procurement lifecycle automation. Commercially Confidential PAGE 35 Component modules include, but are not limited to: A secure Portal Spend Analysis Programme/Process manager module eSourcing module (including eAuctions) Dedicated eEvaluation module (AWARD QCDL) Vendor Management/Profiling module Contract Management Module Vendor Performance Management Module Deployment programme of blended learning & education Programme for Buyer and supplier adoption including training and ongoing user support On-demand sourcing enablement and consulting/operational support Services Q-LOT4-9 Design Authority? Q-LOT4-10 Project / Programme Management? Q-LOT4-11 Business Analysis? Q-LOT4-12 Commercially Confidential We undertake the role of Design Authority only in respect of the Supply Management Software and own the design and implementation of the software product Our consulting team users structured engagement processes, adapted to fit specific customer requirements. Project plans are agreed and regularly reviewed as part of the engagement cycle. We can take responsibility for or integrate with overall programme management. Project programme management tasks can be undertaken at a project, programme or organisational level. An early part of all customer engagements involves greater or lesser amount of business analysis. We are recognised expert provider of evaluation, procurement and review advice and will use this expertise combine with the analysis to ensure effective delivery of the business processes in association with the service. In the context of our specialist consulting service we design and develop implementation, adoption and operational models for customers. This can be done Design and on a one-off basis for specialist projects or via reDevelopment? usable models and templates. We also design and develop end-to-end methodologies to facilitate definition of criteria, process models and evaluation/review of end results. PAGE 36 Within our specialist consulting service, our delivery package includes testing/quality assurance of both the development of procurement models and verification of the process/data prior to execution of decision making processes, including independent peer review using a different member of our team. Q-LOT4-13 Testing? Our software system also undergoes extensive quality assurance including software based unit tests, regression testing using a suite of automated tests and manual scripted verification for critical features and performance/load testing. Software is also rolled out Beta and Pre-Production on services for verification in "live" environments and for customer verification/training and early experience access to new features. Q-LOT4-14 In the context of our specialist consulting service we support project specification and selection in the Project Specification and context of deployment of our service and adoption Selection? operational projects. This can be done on a one-off basis for specialist projects or via re-usable models and templates. Q-LOT4-15 BravoSolution provides integration services via standard open standards web-services methodologies. Service Integration? BravoSolution has integrated into hundreds of different applications, including ERP, Supplier management, Official advertisement, Transportation systems etc. Q-LOT4-16 Our services offering includes deployment services ranging from change management, template creation and training to development of content for customers. Deployment? Note that no technical support is required for deployment - the service requires only a browser with no additional plugins or software to operate. Q-LOT4-17 Our service offering includes support in migrating data from other services. Data from other sources can be prepared and imported via Excel. Data can also be exported in Excel format for integration to other cloud services. This is rare though due to the specialist nature of our service. Q-LOT4-18 Transition Management (including rapid inter cloud service data/service migration)? Our service is managed by SC cleared operational staff. Management of individual customer’s data including users and projects can be carried out as agreed via our Service Management? Help Desk or via our consultants. Where authorised to access individual customers' data, we do so via specific logins on the customers account to segregate accountability and audit. Commercially Confidential PAGE 37 Q-LOT4-19 Q-LOT4-20 Q-LOT4-21 Q-LOT4-22 Q-LOT4-23 User Management can be carried out by the customer (using nominated Administrators) or via our Help desk. This service is also sometimes provided as one of the services under a contracted support/consultancy User Management? package within the customer organisation. Organisations can be responsible under an ‘enterprise’ agreement for the ongoing user creation, provisioning and management. We provide a number of training courses - these range from formal training in all aspects of the product to training packages developed in conjunction with standard re-usable templates that make use of commonly used procurement model - these allow for streamlined and low-cost training and lead to faster implementation and deployment. Our offering Training? includes the ability to take our standard templates and modify them to suit specific customer needs, again offering a low cost option for rollout. Our knowledge and provision is backed up by an extensive, blended training programme covering both best practice and use of the software through classroom and online channels. This is not applicable except in the context of the Editorial? user/organisation configurable help/guidance and process support contained within the suite. Our service is managed by SC cleared operational staff. Management of individual customer’s data including users and projects can be carried out as agreed via our Help Desk or via our consultants. Where authorised to Application management access individual customers' data, we do so via specific and support? logins on the customers account to segregate accountability and audit. This service is also sometimes provided as one of the services under a contracted support/consultancy package within the customer organisation. Many customer engagements involve a degree of strategy and implementation services associated with the change programme leading to the delivery of the service. This will either be complete oversight or integrating with our customer and/or their other Strategy and advisors Our consulting team are recognised experts in implementation services? the implementation and advisory space, particularly in relation to running OJEU compliant procurements both in terms of overall strategy, compliance with legal frameworks and the use of Electronic Tools to streamline the procurement and manage costs and timescales. Commercially Confidential PAGE 38