QUALIFICATION CHECK LTD

Qualification Check

Qualification Check is a leading supplier of global education verifications and other background checks and screening services with over 40,000 data sources in more than 200 countries. Trusted by thousands of organisations worldwide to verify the authenticity of their employees' qualifications, employment history, IDs and other credentials.

Features

  • On demand verification of education, professional membership, employment and IDs
  • Global coverage
  • Automated Service
  • Live Dashboard
  • Full Audit Trail
  • Live Chat
  • Downloadable Reports
  • Account Management
  • Unlimited users and flexible account setup
  • Multiple payment methods and no minimum volumes

Benefits

  • Easy web access
  • Available 24/7
  • Secure and confidential
  • Fast and accurate
  • 100% accuracy as all verifications are checked at data source
  • Thousands of secure integrations to trusted data sources
  • No setup costs and no minimum volumes
  • Free technical support for API integrations
  • Customisable setups and white-labelling if preferable

Pricing

£12 to £25 a unit

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

1 9 5 0 0 0 2 7 6 6 6 7 5 1 5

Contact

QUALIFICATION CHECK LTD

Phil Dupont

0203 897 0956

sales@qualificationcheck.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
There are no constraints it is a web accessed application anyone can sign up to and use
System requirements
There are no systems requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
We have a live chat facility Monday to Friday 18 hours a day and response times are within minutes. On the weekends this is not available but any messages via it are sent as emails to the customer services team and responses are done first thing Monday mornings
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
It is accessed via the homepage and has no constraints in terms of use. Our customer services team will respond to any enquiries immediately
Web chat accessibility testing
We have not done any web chat testing however we have used the live chat application for over 5 years to great success. It is an important resource for all our users as it provides instant support.
Onsite support
Onsite support
Support levels
We provide an account manager for each client who helps with day to day issues and enquiries. We also provide technical support free of charge for any clients who prefer to integrate their systems with our API rather than just use the web application
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We help users get started with our service both remotely and onsite whichever is preferable. If they prefer remote there is a user guide video on our website and we can provide online demos of the service and an initial setup and training call. If an onsite visit is preferable we will provide a demo and training.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Following GDPR guidelines we have a standard retention period of 6 months for verification data once the verification has been completed, unless a user specifically requests this to be longer or shorter. When a user no longer wishes to use our service they can request for their retained data to be sent to them . Then, as standard, any cancelled account will have its data deleted as per GDPR guidelines.
End-of-contract process
As we charge no setup fees or retainer but instead a fee per verification (as laid out in the pricing section) at the end of the contract the user account is simply shut down at not cost and data is extracted and deleted as laid out in the previous section.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
There is a slightly different layout due to screen sizes
Service interface
No
API
Yes
What users can and can't do using the API
Users can use the full functionality of our service via the API. The setup and all information regarding the API is laid out in our API documentation and our technical team provide free support during setup
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Using the API they are able to customise and white label the service as part of their own platform. We also provide bespoke customisation and alternative integration options for clients if required.

Scaling

Independence of resources
Our use of smart technology supported by staff in the UK, India and other global locations means that we have a fully scaleable solution ensuring that large volume increases in verifications will not negatively effect service levels

Analytics

Service usage metrics
Yes
Metrics types
When a user logs into their account their is a dashboard showing all user activity as well as usage metrics. This can be searched by date and a number of other useful parameters
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
User data is held in their secure qualification check account and can be accessed at any time using their username and password. If they wish to extract their data in bulk at any time they simply need to make a request via our customer services team and one of our technical team will arrange this for them.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99% plus availability of service is our SLA
Approach to resilience
Our datacentre is resilient as it it has multiple redundant vendor transient servers.
Outage reporting
This is done via email alerts

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
We have an administrative platform that is accessed by qualification check employees for the purposes of customer service and helping process verifications. This has restricted access to only certain relevant employees who login in using a secure username and password. For database and other backend access there are strict access controls that only our CTO and management control and can access
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
URS
ISO/IEC 27001 accreditation date
April 2020
What the ISO/IEC 27001 doesn’t cover
None
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We are ISO27001 and Cyber Essential Plus certified. We have followed the guidelines that are needed to achieve these certifications including implementing a strict reporting structure that includes key members of our management team such as our CEO and CTO. This ensures that all policies are followed.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
A register of all assets that process, or store information is maintained by our IT Service provide HJS Technology

For our application the CTO is responsible for all changes and this is manged in accordance with OWASP and SDLC best practices.

We have a Security Framework of policies and procedures covering IT, physical and HR security controls, and is certified to ISO 27001:2013. Policies are communicated to staff during induction with annual recertification.

The CEO is accountable for security and he is supported by the CTO, the Head of Operations APAC and Head of Operations EMEA.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Testing and deployment of patches is carried out for all systems and applications. The business and technical impacts of the deployment of any patches are considered as well as the security impact.

Our IT service HJS Technology maintain a list of suppliers of vulnerability alerts which will include vendors for critical infrastructure components (e.g., Microsoft, Cisco, Oracle, etc.).

All patches which are deployed are integrated into subsequent standard builds so that the vulnerabilities which it addresses are not subsequently re-introduced. HJS are responsible for deploying to endpoint devices while our cloud services are responsible for patching the platform services.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
To record events and generate evidence event logs recording user activities, exceptions, faults and information security events will be produced, kept and regularly reviewed. For QC devices and applications, the following events will be recorded:

· time of the event

· the event types

· associated user ID and/or system ID

Event logs will be retained for 3 months. Access to event logs will be limited to authorised users.

We also place reliance on our cloud hosting provides WAF, IDS and SIEM to provide us with alerts to any incidents. The CTO will investigate and respond to any alert.
Incident management type
Supplier-defined controls
Incident management approach
Our user security provides guidance and to staff on what security events and incident to all staff. All security incidents, events or concerns are to be reported to the Chief Technical Officer as soon as possible.

The Chief Technical Officer will investigate and respond to security incidents. Where the incident involves the loss or personal data or affect the clients the Chief Technical Officer and the Chief Executive Officer with discuss the need to inform the Information Commissioner’s Office and clients. Where the incident involves client’s information, we always inform the client within 72 hours of the incident.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£12 to £25 a unit
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
We allow potential clients to carry out 5 free verifications over a 2 week period.

Service documents

Return to top ↑