Service Definition Document
Service Description
Service Summary
Since its formation in 2002, Due North has established itself as a leading provider of Strategic
Sourcing and Contract Management solutions in both the Public and Private Sector. We have
without doubt the largest footprint in the UK for our sector with over 250 customers.
Due North installed the first sourcing software solution to go live in the UK Public Sector at
Durham County Council in 2002. Today, Due North’s ProContract application is in use across the
Public Sector including Central and Local Government, the Emergency Services, NHS, Higher
Education, Housing Associations, Passenger Transport and is the established sourcing software
standard for seven of the UK’s regional Centre’s of Excellence.
As well as supplying individual Contract Management solutions Due North specialise in the
development of true Collaborative Procurement Environments, encouraging the Collaboration and
Aggregation on contracts.
Our first portal went live in April 2004 and was created for the North East Purchasing Organisation;
the portal consists of a total of 18 Councils covering Districts to Metropolitan Borough Councils.
This particular portal is used by over 2000 Procurement Officers and has 37,000+ registered
suppliers covering 30+ Countries. They awarded us a ten year contract in perpetuity from April
2012.
Blue Light, our second Portal went live in May 2004 and is available to all the Emergency Services, covering 35 Police Forces and 24 Fire & Rescue Service Organisations. Both portals use
our ProContract Suite and have recently renewed their contract with Due North for an additional
three years.
Since then we have also won other Collaborative Portal environments via OJEU Tendering exercises.






Devon Tender Partnerships went Live in September 2004 covering 11 Councils (Recently
renewed contract with Due North for an additional 4 years)
South East Centre of Excellence went Live in July 2006 covering 74 Councils
North West Centre of Excellence went Live in July 2007 covering to date 30 Councils. This
contract also came with a National Framework Agreement open to any other Public Sector
Organisations in the UK including Charitable Trusts.
Eight out of nine Regional Improvement and Efficiency Partnerships (RIEP) now use Due
North.
ESPO awarded us framework supply status in 2008 for three years and have extended for
a further two years and we now are rolling our software out to them for use in their own organisation.
As a result of winning National Framework Agreements Due North moved into new market
sectors such as the NHS and we have managed to win as customers many large NHS
Trusts, PCTs and Collaborative organisations.
Part of Access Intelligence PLC, we have seen steady growth in our entire history with a
strong outlook over the next 5 years, via both organic growth and strategic acquisition.
Service Definition Document
Features & Functions
Our software is modular and covers Contract Registers, Opportunities Notice Board (official OJEU
sender), eTendering Software, including RFx, Evaluation Software including ITT, PQQ and
Supplier Appraisals, eAuctions including Reverse, Forward and Transformational and also
Contract Monitoring (Supplier Relationship Management Tool) and finally Spend Analysis.
The software has two interfaces and thus two types of user; Buyer and Supplier. The buyer is our
customer whom our contract is with. The supplier is any end user of the system.
Service Request Process
Contact should be made to;
Due North Limited
16/17 Enterprise Court
Crosland Park
Cramlington
Northumberland
NE23 1LZ
Telephone: 01670 597 120
Email: sales@due-north.com
Availability, Metrics & Statistics
Our service under normal circumstances, is available 24 x 7 x 365 with actual uptime over the last
12 months (2012) registered at 99.8%.
Any planned maintenance is always scheduled outside office hours and notified in advance and
can often be carried out without interruption to service availability using the backup servers.
Help and Self Service
Getting Help
Due North’s manned help desk facility, located in the UK at Cramlington, Northumberland, is
provided between the hours of 08:30 and 17:30, Monday to Friday, excluding UK Public Holidays.
As this is a UK based and manned helpdesk, Due North can confirm that there are no limitations
regarding time zones and public holidays.
Self-Service Support
Our software provides help and assistance in different ways, to both buyers and suppliers. Buyers
are supplied with a series of guides which can be accessed from the main help area of the system.
In addition, each page of the system contains context specific help statements applicable to that
page.
Service Definition Document
There are full PDF Guides on all aspects of the system provided for use by Suppliers. The guides
covers all areas of doing business including registration and completing all types of
questionnaires. There is also a Supplier Registration and Response Wizard, which is a step by
step guide that leads the supplier through the key stages of responding to RFQs, PQQs and ITTs
etc.
This along with the online help facility on each page they click onto means that they can reply to all
requests with confidence. The help screens are context specific, meaning they are relevant to the
area the supplier is currently viewing.
Service Cost & Pricing
Our costs to customers are provided in three separate areas. The first is a licence cost giving the
organisation full access for the contract period. The second element is an annual hosting cost
which is based on the number of users required and includes all hosting hardware and full buyer
and supplier support. The third and final element is implementation and training which is
dependent on the user numbers.
NB. Our customers benefit from the fact that the licence cost is a one off charge. E.g. if on a
three year contract conclusion the organisation wishes to continue with our service, they are not
required to pay a further licence cost, merely continue to pay the annual hosting charge.
Service Support
Eligibility for service
Due North will provide support to any user or their registered suppliers included as part of our
annual hosting charge.
Authorization requirements for obtaining service
An email address registered on our system as a buyer or supplier.
Escalation process
Technical (including fault call resolution) Escalation Path
Escalation Stage Position
Telephone
st
1 Point
Support
01670 597 136
Technician
2nd Point
Support Manager 01670 597 124
3rd Point
Head of
01670 597 138
Operations
Service Definition Document
Account Management Escalation Path
Escalation
Position
Telephone
Stage
1st Point
Account
01670 597 123
Managers
2nd Point
Head of
01670 597 138
Operations
3rd Point
Managing
01670 597 121
Director
Testing
Due North’s software undergoes an upgrade two or three times per year where new functionality is
added, issues fixed and users wish list items added.
All upgrades follow a documented roll out process through three stages before going ‘Live’.
Firstly, the system is tested internally where the proposed solution undergoes rigorous testing,
typically around 4-6 weeks. Here the vast majority of issues are addressed and the new
functionality operates as specified.
The second stage is UAT (User Acceptance Testing) where a small selection of nominated users
can test the changes and report any bugs or log change requests. This typically lasts around a
further 4-6 weeks.
Once UAT is complete, the third environment is UFE (User Familiarisation Environment) where a
larger base of nominated users gain familiarity with the system before it goes ‘Live’. This
environment ensures a smoother transition to ‘Live’ by allowing time for users to absorb the
changes and use the system as if ‘Live’ without the sole purpose of testing. This environment is
commonly used for users to provide internal training to a wider audience and to allow any internal
documentation to be updated. This typically lasts around 2-3 weeks.
Finally, after the UFE period, the system is moved to the customer’s ‘Live’ environment.
Customers will be informed well in advance of any roll out to ensure they are fully prepared.
IT Security Health Check (ITSHC)
ITSHC is more commonly referred to as Penetration Testing. Due North engage in IT Security
Health Checks on an annual basis to ensure we continue to operate to the highest possible
standards. These tests are conducted under CESG1 guidelines using a CHECK2 accredited team
of assessors. The purpose of the ITSHC is to examine the application and technical infrastructure
both at Due North and at the data centre and to identify any possible vulnerabilities which may
compromise the confidentiality, integrity or availability of information held on protectively marked
systems. This results in the production of a CHECK report and action plan of any corrective action
required. The process of performing an ITSHC every year results in very strong continual
improvement of the security of our systems.
Service Definition Document
1
CESG is HMG's Communications-Electronics Security Group, the Information Assurance (IA)
arm of GCHQ. They are the UK body who carry government responsibility for ensuring and
accrediting IA for protectively marked information systems such as ProContract.
2 CHECK is CESG's IT health check service. CHECK Service Providers are accredited by CESG
currently permitted to work on systems processing protectively marked information up to and
including CONFIDENTIAL. The highest level of protective marking of the data being processed on
ProContract is RESTRICTED.
HMG RESTRICTED Accreditation
Due North has undergone accreditation to HMG RESTRICTED, also referred to as Impact Level 3
(IL3). HMG RESTRICTED is point 3 on a scale of 1 to 6 of Protective Marking, where IL1 is HMG
UNCLASSIFIED and IL6 is HMG TOP SECRET. This exercise built on our ISO27001
accreditation and is conducted to even more stringent standards. To conduct this process we
engaged the services of CLAS3 Consultants to assist in the production the required Risk
Management & Accreditation Document Set (RMADS) which is a required to comply with the HMG
Security Policy Framework (SPF) regarding accreditation of protectively marked systems. Risk
Management is the process of defining risk appetite, risk tolerance, performing risk assessment
and producing the risk register and risk treatment plan. These are carried out in accordance HMG
Information Assurance Standard No. 1 Part 1 & 2 (Technical Risk Assessment) and Information
Assurance Standard No. 2 (Risk Management & Accreditation of Systems).
A major component of the RMADS is the Baseline Control Set. This is closely aligned to the
Statement of Applicability produced as part of ISO 27001 and performs essentially the same
function of defining required information security control requirements and Due North's
implementation to meet these controls.
Other crucial components of the RMADS include:
 Identification of security responsibilities which are detailed in Terms of References and role
specific Security Operating Procedures (SyOPs)
 Routine Procedures which are detailed in SyOPs and in existing system procedures
 Configuration control responsibilities
 Incident management and reporting responsibilities
3
CLAS is the CESG Listed Adviser Scheme. CLAS consultants are approved to provide
Information Assurance advice on systems processing protectively marked information up to and
including SECRET.
Documentation and Training for Support
For a train the trainer approach, where those who attend the training will then train users within
their organisation we would recommend that user attends the “Super User” training course. This
course covers all of the system functionality and will provide a full understanding of the modules,
allowing that user to both use the system and pass on knowledge through their organisation.
The training sessions are a mixture of trainer demonstration and “hands on” exercises where
those attending the training work through those exercises. The sessions should be attended by no
more than 10 people to ensure that maximum benefit is derived by all those attending and that
there is sufficient time for the trainer to interact with all the delegates on a one to one basis as they
work through the exercises.
Service Definition Document
Super User (Administrator) Training
This training course would take a total of 4 days. It would be aimed at a user with very little to no
knowledge of the ProContract solution so would start from the basics and build from there. It would
cover the set-up of all aspects of the solution as well as the use of all the various areas of
functionality. The course can be performed on consecutive days, however we can organise the
course to suit your department timescales.
Communication Plan
All technical queries can be raised by either telephone or email. Once raised they are logged by
the Support Department into the Customer Relationship Management system (CRM) where it's
progress, status and activity can be logged and audited. A unique Case ID is provided to the
caller.
The Support person can address the caller’s query, which if spans more than one call then Case
ID is used for identification. Once completed, outcomes are recorded in the CRM and closed.
All user issues are accepted by telephone, email, fax or post. All communication is logged into the
CRM system and a Case ID is automatically assigned, progress, status and activity is logged and
audited. The customer's Account Manager 'owns' the issue throughout, however the nature of the
issue will dictate to whom the Case is directed to internally. In such circumstances, the Account
Manager is updated at every stage of the issue and will communicate with the originator after
resolution. The Case in our CRM system is then closed.
All challenges relating to system issues, faults, downtime and maintenance are communicated via
email. In addition to this, where required, a maintenance page and/or notification will be visible at
key points in the system.
Due North have established an Incident Management Group (IMG) that ensures our clients are
made aware of unplanned system failures within the hour. The IMG will then provide regular
updates to the client throughout the outage. Our solutions are monitored from multiple locations
allowing the key IMG members to be notified via email and mobile phone within minutes of an
unplanned failure.
Should solution upgrades require any downtime, you will receive notification at least 1 month in
advance. Upgrades will also be scheduled to occur outside normal working hours.
Operating system security patches are currently scheduled to be installed automatically at 5 am on
the weekend following their release. You would not normally receive notification of downtime for
these events and they are normally limited to approx. 5 minutes. Should users be active at this
time, they will not need to log back in once the server has restarted. OS patches deemed of critical
importance by the Infrastructure team are applied on the day of release and do not require any
downtime as traffic is diverted between the live and standby servers during installation. This also
extends to Application Server upgrades/patches. User sessions are seamlessly transferred
between servers with no need to log back in to the solution.
Third party issues are recorded in our CRM system and follow the same procedure as Support
Issues.
Change requests can come in via telephone or email, however the preferred method is our User
Forum where users can discuss with other users any queries they may have and also log any
Service Definition Document
Change Requests. These Change Requests are then reviewed and open for discussion at our
periodic User Group Meetings where Due North and the customers discuss Change Requests and
mutually agree priorities and timescales for delivery.
A monthly report can be provided on a restricted area of your website. This would include a graph
indicating server load for the month and also list any planned/unplanned downtime along with
details for each event.
The Portal Administrator can use the proposed solution to communicate information through the
Portal, e.g. News & Events, which would then be made available to a wider audience of anyone
visiting the website, as opposed to just users of the system.
Service Delivery
Technical Specifications
Due North uses a data centre in Newcastle owned and managed by DataBanx, the first company
in Europe to gain ISO27001 accreditation for Managed Hosting, where the servers and application
are hosted is a state of the art purpose built data centre with extremely high levels of physical
security.
The building itself is a non-descript single storey steel and concrete facility with no branding on the
outside. It is surrounded by a 2m plus steel palisade fence to the two sides which face the roads
and by brick walls to the boundaries with other properties. Entrance to the site is via a sliding gate
which is open during the day while the building is staffed and securely locked at night. The
exterior of the building is protected by a comprehensive array of CCTV security cameras.
Physical access to the data centre is only available to data centre staff and nominated personnel.
This is enforced by multi layer visitor access controls to the building itself, then the data centre
floor and finally to the rack itself. Entry into the building is via a locked steel door which is opened
by data centre staff from the inside to visitors. All visitors must sign in and only nominated
personnel who must pass photo verification each visit are allowed into the building, which initially
only gives access to the entrance lobby. The system also allows instant access to a list of those
on site at any given time, this enables security personnel to monitor visitors and to provide a
muster sheet in the event of an evacuation. Passes must be worn at all times whilst on site.
We have our dedicated (leased) racks on the data floor which house the primary and backup
servers in independent racks. Access to each rack is controlled via a key pad, the combination of
which is known only to nominated Due North and data centre staff.
The servers are monitored constantly with statistics collected every 10 minutes and probes
configured to notify Due North staff when certain thresholds are triggered. These include long
running web requests, disk space and disk/cpu utilisation. The collected statistics are analysed on
a weekly basis to ensure there are no performance bottlenecks and there is available headroom
for future expansion. For example, if CPU utilisation is consistently above 50%, we would take
measures to make more CPU available.
Bandwidth at the datacentre is also monitored consistently. As mentioned previously, we have a
guaranteed bandwidth agreement with burst up to 100mb when more bandwidth is required. Over
the past 12 months (2012) our peak utilisation was 51.61mb.
Service Definition Document
Due North will ensure dedicated application and database servers are used to host the software.
Many other cloud based Software as a Service (SaaS) solutions are provided on a single
system/multi tenancy basis. This means that one single system instance with a shared database
is provided for all the customers who subscribe to it, and each customer is given a “slice” of this
system.
While this has advantages around cost of deployment and maintenance it does carry
disadvantages. These can include unpredictable system performance and response times, but
also security concerns. As all customers’ data is typically in one database, data segmentation
cannot easily be achieved by access controls at the system or database level and instead must be
enforced by program code which is inherently less secure. The quite natural concern of users is
that potential system compromise arising from any other tenant may break these code enforced
data boundaries and will also compromise their own data integrity.
Due North take a more robust approach in the design of systems and infrastructure to host
customers’ sensitive data. We prefer a dedicated web application server and dedicated database.
This configuration is inherently much more robust, resilient and secure than multi tenancy
systems, or even multiple single tenancy systems on shared servers, as boundaries between
systems are enforced at a network and server level rather simply between applications or data.
Due North offers the following at no cost:System re-build using latest available back-up will be provided
In the event of failure of the live or standby server, the system will be rebuilt from the latest
available backup. This would typically involve minimal to zero data loss as data would be
recovered from the live or standby server depending. Recovery Time is dependent on the volume
of data; however target time is 2 hours. Up to 5 minutes of downtime is what we aim for if the ‘live’
server fails. This is to allow traffic to be diverted to the standby server.
Recovery to ‘cold’ DR (Disaster Recovery) site using latest available back-up will be provided
Data is replicated to a backup site either hourly or daily. This data can then be used to rebuild the
host environment within the DR data centre. Recovery time is up to 48 hours.
Recovery to ‘warm’ DR site with no loss of data will be provided
A fully operational warm standby server is located in our Manchester data centre. The server can
be configured to receive data on hourly or daily schedule (or as soon as possible?). Due to the
nature of the procurement process and the size of attachments being added to the system, there
will always be delay in data being transferred to the DR site. The server would be available to take
user load with 10 minutes of the live facility becoming unavailable. However, it could take up to 2
days for the updated DNS records to fully propagate through the internet. We'd anticipate 90% of
users would be correctly routed to the DR site within 2 hours though. The DR site would be able to
take the full load of the live environment with no restrictions on sites or users.
Service Definition Document
Service Level Agreement (SLA)
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
The on-going service is a Managed Service which covers the following:
All Hardware – including the provision of servers sufficient to provide the Service and
maintenance on 24 x 7 basis availability;
Operational – including the running of the System and servers and backup and restore
facilities;
Communication – including access to and from the Internet
IBM software licences and maintenance in order to provide the Service;
3rd party software and maintenance to provide the statistics and other services
The Portal software, current version to provide the Service;
Product fixes and updates including those made necessary by legislative changes;
Help desk facility is provided 24 hours a day to provide assistance to Licensees and
Suppliers. Calls may be placed by phone or e-mail.
The help desk will be manned during the hours of 08:30 to 17:30, Monday to Friday,
excluding Statutory and Bank Holidays.
2 Support
2.1
Priority 1 – user unable to access the Portal;
2.1.1
Call back within 15 minutes. The problem will then be worked on within 1 hour
with a target resolution time of 2 hours.
2.2
Priority 2 – user able to access the Portal, problem with functionality;
2.2.1
Call back within 30 minutes. The problem will then be worked on as soon as
possible with a target resolution time of 1 working day.
2.3
Priority 3 – user able to use the System, cosmetic problem;
2.3.1
Call back within 2 hours. The problem will then be worked on within 1 hour
with a target resolution time of 5 working days.
2.4
Where issues are not essential to the normal working environment a work around may
be provided with correction issued with the next update.
2.5
In all cases if a Consultant is available the call will be handled immediately.
Operating Level Agreement (OLA)
The servers and application are monitored continuously by Due North. There are a number of logs
and alerts that are configured to ensure a quality service is delivered to the customer:
Monitors are in place so that if a server should stop responding for any reason, Due North staff are
notified within 5 minutes
Disk space is also monitored daily with notifications sent should free space fall below a predefined
threshold. Front line and application Firewalls send notifications of critical events as they occur.
Service Definition Document
Due North assess what action, if any, is required upon receipt. Logs from these devices are sent to
a central management device and reviewed weekly.
Should an error be generated by the application, these are recorded within a system log that is
checked daily by the development team
Finally, comprehensive server statistics are collected every 10 minutes and stored within a
database which is checked weekly. These include platform statistics (eg. CPU/Memory/Disk
Utilization) and application server statistics (Mail, Transactions, Server Availability).