DUE DILIGENCE CHECKING LIMITED

Disclosure and Barring Service Checks (DBS) and Pre-employment Checks.

Due Diligence Checking Limited (DDC) is a dedicated pre-employment and DBS checking provider. Specialising in online data entry and electronic processing, DDC reduce the resource needed and save you valuable time. DDC provide an all-in-one solution for your DBS checks, reference checks, qualification checks and more.

Features

  • Experienced Customer Service Team
  • Real-time reporting, downloadable excel file with advanced filtering
  • Online portal, smart application forms; built-in error checking facilities
  • User access management; personal logins, tiered user access, unlimited users
  • Built in DBS compliant Identity Checking Tool
  • Tailorable notification system with central oversight
  • Variable payment options available
  • Downloadable final report
  • Scalable design to suit central management and individual local processes
  • Bespoke pre-employment packages to accommodate requirements

Benefits

  • All encompassing platform to request multiple services
  • Efficient and flexible process to accommodate your requirements
  • Easy to use online system, full error checking facilities
  • Quick and free set-up
  • Minimal input to initiate checks, API options available
  • Ensures GDPR and data protection compliance
  • Save time and resource, no more chasing referees
  • Knowledgeable Customer Service Team available 9am-5pm Mon-Fri
  • Quick electronic results, downloadable from the online platform
  • Secure, reliable and professional service, ISO27001 and ISO9001 certified

Pricing

£5.00 a unit

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

4 2 0 1 0 3 3 8 4 7 5 9 8 5 9

Contact

DUE DILIGENCE CHECKING LIMITED Jake Waddingham
Telephone: 0116 260 3055
Email: jakew@ddc.uk.net

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
Certain criminal record checks are subject to eligibility requirements and specific consents. Basic criminal record checks and pre-employment reports can be requested by any organisation.
System requirements
User(s) require an internet enabled device.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Emails are responded to within 4 working hours Monday-Friday
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
Advice and support is provided to all clients at no additional cost. Core to the provision of the service is the Customer Service Team which is available to deal with all enquiries, questions and help process all applications as quickly and effortlessly as possible. Key customers with complex structures receive support from a dedicated account manager.

The majority of technical queries can be dealt with by the Customer Service Team and/or account management team. Clients also receive access to a technical support team for more complex matters.

All applicants are encouraged to contact the DDC Customer Service Team, as a fully outsourced service, to save clients time and resource for dealing with such queries.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Getting started with DDC is free, quick and simple. DDC work with many organisations to offer a premium service, including training at no extra cost. The Customer Service Team take pride in supporting all levels of users, irrespective of previous experience with online systems or web applications. DDC will support all users in the transition to the new service in an understanding and professional manner, to minimise disruption. The Customer Service Team is available to answer any queries, concerns or offer guidance on using the system. Clients are provided with support to ensure the system is set-up to match requirements.

Onsite training can be provided as part of the implementation. The training is tailored to the requirements of the client and any specific internal procedures in place. Additional users are provided with a phone call/webinar to introduce DDC and to provide a demonstration of the system. This is provided to all new users added to the system throughout the life of the contact. A quick start guide will be made available to all users, to help with the processing pre-employment checks.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
All data can be extracted from the system by the client using the online system reporting features. The data is emailed to the user accessing the system in a CSV format.
End-of-contract process
There are no additional costs at the end of the contract. DDC will work with the client to ensure a secure transfer of all data. If any checks are outstanding, DDC will ensure their completion. Once all checks are completed the accounts will be closed and user access removed. System wide users can maintain access post contract, if requested. DDC are happy to work with any new suppliers during the transition. Data is deleted inline with DDC's data retention policies published in the privacy policy, however clients can request full deletion or anonymisation of data as per their own policies.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The online platform is scalable in design to accommodate smaller screen sizes such as mobiles and tablets. Functionality remains the same for both mobile and desktop services.
Service interface
Yes
Description of service interface
The service interface is accessible from any internet enabled device to allow applicants, users and third-parties to process DBS and pre-employment checks. Client users can initiate a range of pre-employment checks, manage applications and receive result through the interface. Users are provided access rights to the service interface depending on their role in the process.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Internal testing to this standard has been completed. No formal testing outside of the organisation has been completed.
API
Yes
What users can and can't do using the API
The DDC service allows clients to submit application through an API, with basic applicant details provided together with details of the checks to be requested. Each check type has a specific data set required to allow the submission. If the API submission indicates that type of check is to be included then that dataset becomes a requirement and will be validated.

Secure connection to this API is controlled using Bearer Authentication with JSON Web Tokens. Once security protocols have been exchanged the submission is authorised and validated. DDC will confirm receipt of the application. Under normal circumstances this receipt is treated as an ‘in progress’ stamp by clients. All data is validated prior to entering the DDC system to meet strict acceptance criteria, with detailed error messages in place to highlight non-valid data. Data is tracked using applicant specific numbers used by the client, and placed into specific accounts using location codes if multiple accounts/locations are in use. Each user or account can review the progress with applications and obtain status updates directly from the DDC system with a personal username and password.
API documentation
Yes
API documentation formats
PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Aspects of the online service can be customised to meet the customer's requirements. Customisable aspects include:
Multiple accounts to accommodate the organisation's structure or network of offices. Each account can have bespoke system settings to match local processes whilst meeting central management requirements.
User access levels can be determined to reduce the level of access an individual has, to match their role in the process.
The application process is customisable to match client requirements including internal or external ID checking and user or applicant data entry.
Flexible payment options allow invoices to be grouped or split across departments or operational areas with the option of allowing applicants to pay online via credit/debit card.
Product packages are bespoke allowing the client to set the required checks and amend the individual elements of each check. For example, how many years of employment history is required, the questions asked of the referee and the level or type of DBS check required.

Scaling

Independence of resources
The system is under constant monitoring with thresholds set with Third Party software, which trigger an alert to the Company Directors and Web Development Team if exceeded. This allows for the pro-active detection of load on the servers, and plans for increasing power. The current infrastructure has been specified to handle double the current requirements, and was recently upgraded due to reaching 75% capacity on the previous hardware. This platform has been ‘stress tested’ to handle approximately 300% more applications per annum than the current activity levels.

Analytics

Service usage metrics
Yes
Metrics types
The system has a range of reporting and metrics built in and readily available to users using live data. Additional statistics and metrics are made available on a regular basis via an account manager.
Metrics include but are not limited to:
• Number of applications
• Breakdown of check types
• Timeframes for process completion
• Timeframes for process steps
• DDC response and processing times
• Service uptime
• Customer satisfaction
• User access data
Bespoke reports and metrics are available and can be requested as required or issued on a scheduled basis.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data sets can be selected using advanced filtering and exported from within the system by active users. CSV file outputs are sent directly to the users registered email addresses for security. Data can be exported at the click of a button utilising live reports. The exporting of data is available on a range of reports from withing the system and dependent on user access rights. Bespoke data sets in specific formats can be made available for export following consultation.
Data export formats
  • CSV
  • Other
Other data export formats
PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Access to the online web application for all users and applicants is available 24 hours a day, 7 days a week and requires a web browser connected to the internet. The system is guaranteed to have a 99% availability up time. The average uptime for the past 36 moths is 99.97%.

DDC's servers are hosted in a Tier 3+ standard data centre with a 99.982% guaranteed availability.

DDC will agree an SLA with the client and measure performance against this. Should this SLA not be reached, steps will be taken to return to the agreed service level.
Approach to resilience
The web-application and all personal data is hosted on high specification servers located in a secure Tier 3+ data centre as per the Telecommunications Infrastructure Standard (ANSI/TIA-942). The data centre guarantees a 99.982% availability. The organisation has been accredited to their own ISO27001 standard.

Servers are regularly tested and maintained to a very high standard to ensure security of data and best practice principles are followed. Operating System (OS) patching is carried out monthly, unless a critical vulnerability is announced. CentOS is used for the Virtual Machines (VMs), which has a conservative upgrade philosophy, for stability. Application security updates are applied as released. Servers are maintained with firewalls and IP restrictions. Further information is available on request.

DDC have in place and utilise a documented, secure Disaster Recovery process, which will be used for all client data to maintain resilience. This includes key features:

• Spare office location
• Clearly documented recovery procedures for all of the key IT infrastructure components.
• High availability, periodical and incremental backups.
• Spare hardware to minimise any potential delays in recovery.
• Dedicated lease line connection from the DDC offices

DDC’s Business Continuity and Disaster Recovery Plans can be made available on request.
Outage reporting
As DDC operate a continuous integration software workflow, regular maintenance windows are unnecessary. If downtime is required notifications are communicated through news channels to the user and applicant with a minimum of 2 week notice. During the downtime a failover page providing notice to the user is displayed. Downtime due to maintenance is scheduled outside of core working hours and will not be between 8am and 8pm Monday to Friday.

In the event of system downtime due to unexpected incidents, DDC utilise a failover page hosted on Amazon Web Services (i.e. independent from the main system). This allows notices to be raised about known issues affecting any aspect of the service. This page is then linked to the DDC public site (www.ddc.uk.net) which will display a news article about the issue and the response times. The DDC management team will update this News Article to confirm the phases of the response as per the Disaster Recover and Business Continuity Planning (DR & BCP).

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
User access is restricted through a hierarchy system ensuring that users only access data they are authorised to view. Access levels reflect the user’s role within the pre-employment checking process. This ensures that the user can perform all necessary tasks whilst maintaining the highest level of data security.

Users are granted access through an agreed channel and authorisation process. Each user has unique credentials to access the system, with logging of all actions completed to ensure a complete audit trail is available. Authorised users can access a user report which highlights the level of access granted.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR
ISO/IEC 27001 accreditation date
02/08/2018
What the ISO/IEC 27001 doesn’t cover
A.13.1.3 Segregation in networks is excluded. DDC only operate one network domain.
A.14.2.7 Outsourced development. All DDC software is developed in house.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
TrustWave
PCI DSS accreditation date
28/08/2019
What the PCI DSS doesn’t cover
DDC are fully PCI DSS compliant
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
DDC have ISO27001 Information Security Management Standard which applies to all areas of the business. As part of the requirements the business utilises a detailed wiki on the Core Policies of the business, together with specific Information Security policies and processes. This is regularly audited by a dedicated Information Security Manager, and supported by a working ISO Team. This team also ensure that all team members have undertaken the relevant training to their role within the business, which is updated annually.

Included in the Information Security Management Standard (ISMS) is an extensive policy and process regarding business continuity planning (BCP) and disaster recovery (DR). ISO27001 is a requirement of e-bulk and the organisation incorporates data security considerations into all systems and processes. These policies and processes detail both the procedures and the physical systems which ensures organisations are provided with a resilient and robust system. Policies and procedures are reviewed twice per year, at a specifically convened Information Security Management Systems (ISMS) meeting. As part of this meeting the team run through disaster emulation to pro-actively test the processes and policies in place to ensure they are fit for purpose.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Management and Development Team use a formal change control questionnaire for all large developments, as part of a larger project plan. This includes key questions about the business processes affected and a specific section about data security considerations. This six-stage project plan includes, kick off, design & planning, development, testing, deployment, monitoring and review & sign-off stages. The project management template ensures security considerations are evaluated and assessed at every stage of development. Any significant changes affecting clients are communicated through account managers or the Client Area News Feed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
DDC utilise a detailed risk analysis process which systematically details the hardware/ systems assets in place to generate a risk score.
Each of the risks is evaluated and given a 'risk score' which must then be reviewed and accepted by the management team. As part of the ongoing investment in the system and ISO27001 accreditation these risks are evaluated each month, to ensure that the risk still exists, the technical solutions in place are still sufficient or if there are other technical solutions that can reduce the risk further.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Vulnerability scans are run monthly as part of the TrustWave PCI compliance system. Ad-hoc scans are run as required during the month, where any system updates are conducted. Annual Penetration tests are run with a certificate of conformity issued by ITGovernance. Any ‘areas for concern’ are emailed to company Directors with corresponding ISMS tasks generated.
Incident management type
Supplier-defined controls
Incident management approach
DDC utilise software (Jira) for the reporting and logging of incidents. Tasks are prioritised depending on the severity of the incident and allocate to the relevant department owner. Critical tasks are addressed immediately to reduce potential loss of availability and data exposure.

Depending on the nature of the event clients must first report the issue directly the Customer Service Team with specific details required to allow the emulation of the issue. Once replication has been achieved a work ticket is created as a defined ‘non-conformity’ ticket type, with a corresponding development ticket.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5.00 a unit
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Full access is provided during the trial period. No specific time period is applied. All checks added to the system will be paid for in full. If the client decides not to go ahead, those applications already initiated will be completed.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.