QUALIFICATION CHECK LTD

Qualification Check

Qualification Check is a leading supplier of global education verifications and other background checks and screening services with over 40,000 data sources in more than 200 countries. Trusted by thousands of organisations worldwide to verify the authenticity of their employees' qualifications, employment history, IDs and other credentials.

Features

• On demand verification of education, professional membership, employment and IDs
• Global coverage
• Automated Service
• Live Dashboard
• Full Audit Trail
• Live Chat
• Downloadable Reports
• Account Management
• Unlimited users and flexible account setup
• Multiple payment methods and no minimum volumes

Benefits

• Easy web access
• Available 24/7
• Secure and confidential
• Fast and accurate
• 100% accuracy as all verifications are checked at data source
• Thousands of secure integrations to trusted data sources
• No setup costs and no minimum volumes
• Free technical support for API integrations
• Customisable setups and white-labelling if preferable

£12 to £25 a unit

• Education pricing available
• Free trial available

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)

Framework

G-Cloud 12

Service ID

195000276667515

Contact

QUALIFICATION CHECK LTD

Phil Dupont

0203 897 0956

sales@qualificationcheck.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: There are no constraints it is a web accessed application anyone can sign up to and use
• System requirements: There are no systems requirements

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a live chat facility Monday to Friday 18 hours a day and response times are within minutes. On the weekends this is not available but any messages via it are sent as emails to the customer services team and responses are done first thing Monday mornings
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: It is accessed via the homepage and has no constraints in terms of use. Our customer services team will respond to any enquiries immediately
• Web chat accessibility testing: We have not done any web chat testing however we have used the live chat application for over 5 years to great success. It is an important resource for all our users as it provides instant support.
• Onsite support: Onsite support
• Support levels: We provide an account manager for each client who helps with day to day issues and enquiries. We also provide technical support free of charge for any clients who prefer to integrate their systems with our API rather than just use the web application
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We help users get started with our service both remotely and onsite whichever is preferable. If they prefer remote there is a user guide video on our website and we can provide online demos of the service and an initial setup and training call. If an onsite visit is preferable we will provide a demo and training.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Following GDPR guidelines we have a standard retention period of 6 months for verification data once the verification has been completed, unless a user specifically requests this to be longer or shorter. When a user no longer wishes to use our service they can request for their retained data to be sent to them . Then, as standard, any cancelled account will have its data deleted as per GDPR guidelines.
• End-of-contract process: As we charge no setup fees or retainer but instead a fee per verification (as laid out in the pricing section) at the end of the contract the user account is simply shut down at not cost and data is extracted and deleted as laid out in the previous section.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There is a slightly different layout due to screen sizes
• Service interface: No
• API: Yes
• What users can and can't do using the API: Users can use the full functionality of our service via the API. The setup and all information regarding the API is laid out in our API documentation and our technical team provide free support during setup
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Using the API they are able to customise and white label the service as part of their own platform. We also provide bespoke customisation and alternative integration options for clients if required.

Scaling

• Independence of resources: Our use of smart technology supported by staff in the UK, India and other global locations means that we have a fully scaleable solution ensuring that large volume increases in verifications will not negatively effect service levels

Analytics

• Service usage metrics: Yes
• Metrics types: When a user logs into their account their is a dashboard showing all user activity as well as usage metrics. This can be searched by date and a number of other useful parameters
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: User data is held in their secure qualification check account and can be accessed at any time using their username and password. If they wish to extract their data in bulk at any time they simply need to make a request via our customer services team and one of our technical team will arrange this for them.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99% plus availability of service is our SLA
• Approach to resilience: Our datacentre is resilient as it it has multiple redundant vendor transient servers.
• Outage reporting: This is done via email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: We have an administrative platform that is accessed by qualification check employees for the purposes of customer service and helping process verifications. This has restricted access to only certain relevant employees who login in using a secure username and password. For database and other backend access there are strict access controls that only our CTO and management control and can access
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: URS
• ISO/IEC 27001 accreditation date: April 2020
• What the ISO/IEC 27001 doesn’t cover: None
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We are ISO27001 and Cyber Essential Plus certified. We have followed the guidelines that are needed to achieve these certifications including implementing a strict reporting structure that includes key members of our management team such as our CEO and CTO. This ensures that all policies are followed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: A register of all assets that process, or store information is maintained by our IT Service provide HJS Technology; ; For our application the CTO is responsible for all changes and this is manged in accordance with OWASP and SDLC best practices.; ; We have a Security Framework of policies and procedures covering IT, physical and HR security controls, and is certified to ISO 27001:2013. Policies are communicated to staff during induction with annual recertification.; ; The CEO is accountable for security and he is supported by the CTO, the Head of Operations APAC and Head of Operations EMEA.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Testing and deployment of patches is carried out for all systems and applications. The business and technical impacts of the deployment of any patches are considered as well as the security impact.; ; Our IT service HJS Technology maintain a list of suppliers of vulnerability alerts which will include vendors for critical infrastructure components (e.g., Microsoft, Cisco, Oracle, etc.).; ; All patches which are deployed are integrated into subsequent standard builds so that the vulnerabilities which it addresses are not subsequently re-introduced. HJS are responsible for deploying to endpoint devices while our cloud services are responsible for patching the platform services.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: To record events and generate evidence event logs recording user activities, exceptions, faults and information security events will be produced, kept and regularly reviewed. For QC devices and applications, the following events will be recorded: ; ; · time of the event ; ; · the event types ; ; · associated user ID and/or system ID ; ; Event logs will be retained for 3 months. Access to event logs will be limited to authorised users.; ; We also place reliance on our cloud hosting provides WAF, IDS and SIEM to provide us with alerts to any incidents. The CTO will investigate and respond to any alert.
• Incident management type: Supplier-defined controls
• Incident management approach: Our user security provides guidance and to staff on what security events and incident to all staff. All security incidents, events or concerns are to be reported to the Chief Technical Officer as soon as possible.; ; The Chief Technical Officer will investigate and respond to security incidents. Where the incident involves the loss or personal data or affect the clients the Chief Technical Officer and the Chief Executive Officer with discuss the need to inform the Information Commissioner’s Office and clients. Where the incident involves client’s information, we always inform the client within 72 hours of the incident.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £12 to £25 a unit
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We allow potential clients to carry out 5 free verifications over a 2 week period.

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)