DUE DILIGENCE CHECKING LIMITED

Disclosure and Barring Service Checks (DBS) and Pre-employment Checks.

Due Diligence Checking Limited (DDC) is a dedicated pre-employment and DBS checking provider. Specialising in online data entry and electronic processing, DDC reduce the resource needed and save you valuable time. DDC provide an all-in-one solution for your DBS checks, reference checks, qualification checks and more.

Features

• Experienced Customer Service Team
• Real-time reporting, downloadable excel file with advanced filtering
• Online portal, smart application forms; built-in error checking facilities
• User access management; personal logins, tiered user access, unlimited users
• Built in DBS compliant Identity Checking Tool
• Tailorable notification system with central oversight
• Variable payment options available
• Downloadable final report
• Scalable design to suit central management and individual local processes
• Bespoke pre-employment packages to accommodate requirements

Benefits

• All encompassing platform to request multiple services
• Efficient and flexible process to accommodate your requirements
• Easy to use online system, full error checking facilities
• Quick and free set-up
• Minimal input to initiate checks, API options available
• Ensures GDPR and data protection compliance
• Save time and resource, no more chasing referees
• Knowledgeable Customer Service Team available 9am-5pm Mon-Fri
• Quick electronic results, downloadable from the online platform
• Secure, reliable and professional service, ISO27001 and ISO9001 certified

£5.00 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

420103384759859

Contact

Jake Waddingham
0116 260 3055
jakew@ddc.uk.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Certain criminal record checks are subject to eligibility requirements and specific consents. Basic criminal record checks and pre-employment reports can be requested by any organisation.
• System requirements: User(s) require an internet enabled device.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Emails are responded to within 4 working hours Monday-Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Advice and support is provided to all clients at no additional cost. Core to the provision of the service is the Customer Service Team which is available to deal with all enquiries, questions and help process all applications as quickly and effortlessly as possible. Key customers with complex structures receive support from a dedicated account manager.; ; The majority of technical queries can be dealt with by the Customer Service Team and/or account management team. Clients also receive access to a technical support team for more complex matters.; ; All applicants are encouraged to contact the DDC Customer Service Team, as a fully outsourced service, to save clients time and resource for dealing with such queries.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Getting started with DDC is free, quick and simple. DDC work with many organisations to offer a premium service, including training at no extra cost. The Customer Service Team take pride in supporting all levels of users, irrespective of previous experience with online systems or web applications. DDC will support all users in the transition to the new service in an understanding and professional manner, to minimise disruption. The Customer Service Team is available to answer any queries, concerns or offer guidance on using the system. Clients are provided with support to ensure the system is set-up to match requirements. ; ; Onsite training can be provided as part of the implementation. The training is tailored to the requirements of the client and any specific internal procedures in place. Additional users are provided with a phone call/webinar to introduce DDC and to provide a demonstration of the system. This is provided to all new users added to the system throughout the life of the contact. A quick start guide will be made available to all users, to help with the processing pre-employment checks.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All data can be extracted from the system by the client using the online system reporting features. The data is emailed to the user accessing the system in a CSV format.
• End-of-contract process: There are no additional costs at the end of the contract. DDC will work with the client to ensure a secure transfer of all data. If any checks are outstanding, DDC will ensure their completion. Once all checks are completed the accounts will be closed and user access removed. System wide users can maintain access post contract, if requested. DDC are happy to work with any new suppliers during the transition. Data is deleted inline with DDC's data retention policies published in the privacy policy, however clients can request full deletion or anonymisation of data as per their own policies.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The online platform is scalable in design to accommodate smaller screen sizes such as mobiles and tablets. Functionality remains the same for both mobile and desktop services.
• Service interface: Yes
• Description of service interface: The service interface is accessible from any internet enabled device to allow applicants, users and third-parties to process DBS and pre-employment checks. Client users can initiate a range of pre-employment checks, manage applications and receive result through the interface. Users are provided access rights to the service interface depending on their role in the process.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Internal testing to this standard has been completed. No formal testing outside of the organisation has been completed.
• API: Yes
• What users can and can't do using the API: The DDC service allows clients to submit application through an API, with basic applicant details provided together with details of the checks to be requested. Each check type has a specific data set required to allow the submission. If the API submission indicates that type of check is to be included then that dataset becomes a requirement and will be validated. ; ; Secure connection to this API is controlled using Bearer Authentication with JSON Web Tokens. Once security protocols have been exchanged the submission is authorised and validated. DDC will confirm receipt of the application. Under normal circumstances this receipt is treated as an ‘in progress’ stamp by clients. All data is validated prior to entering the DDC system to meet strict acceptance criteria, with detailed error messages in place to highlight non-valid data. Data is tracked using applicant specific numbers used by the client, and placed into specific accounts using location codes if multiple accounts/locations are in use. Each user or account can review the progress with applications and obtain status updates directly from the DDC system with a personal username and password.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Aspects of the online service can be customised to meet the customer's requirements. Customisable aspects include:; Multiple accounts to accommodate the organisation's structure or network of offices. Each account can have bespoke system settings to match local processes whilst meeting central management requirements.; User access levels can be determined to reduce the level of access an individual has, to match their role in the process.; The application process is customisable to match client requirements including internal or external ID checking and user or applicant data entry.; Flexible payment options allow invoices to be grouped or split across departments or operational areas with the option of allowing applicants to pay online via credit/debit card.; Product packages are bespoke allowing the client to set the required checks and amend the individual elements of each check. For example, how many years of employment history is required, the questions asked of the referee and the level or type of DBS check required.

Scaling

• Independence of resources: The system is under constant monitoring with thresholds set with Third Party software, which trigger an alert to the Company Directors and Web Development Team if exceeded. This allows for the pro-active detection of load on the servers, and plans for increasing power. The current infrastructure has been specified to handle double the current requirements, and was recently upgraded due to reaching 75% capacity on the previous hardware. This platform has been ‘stress tested’ to handle approximately 300% more applications per annum than the current activity levels.

Analytics

• Service usage metrics: Yes
• Metrics types: The system has a range of reporting and metrics built in and readily available to users using live data. Additional statistics and metrics are made available on a regular basis via an account manager.; Metrics include but are not limited to:; • Number of applications; • Breakdown of check types; • Timeframes for process completion; • Timeframes for process steps; • DDC response and processing times; • Service uptime; • Customer satisfaction; • User access data; Bespoke reports and metrics are available and can be requested as required or issued on a scheduled basis.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data sets can be selected using advanced filtering and exported from within the system by active users. CSV file outputs are sent directly to the users registered email addresses for security. Data can be exported at the click of a button utilising live reports. The exporting of data is available on a range of reports from withing the system and dependent on user access rights. Bespoke data sets in specific formats can be made available for export following consultation.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Access to the online web application for all users and applicants is available 24 hours a day, 7 days a week and requires a web browser connected to the internet. The system is guaranteed to have a 99% availability up time. The average uptime for the past 36 moths is 99.97%. ; ; DDC's servers are hosted in a Tier 3+ standard data centre with a 99.982% guaranteed availability.; ; DDC will agree an SLA with the client and measure performance against this. Should this SLA not be reached, steps will be taken to return to the agreed service level.
• Approach to resilience: The web-application and all personal data is hosted on high specification servers located in a secure Tier 3+ data centre as per the Telecommunications Infrastructure Standard (ANSI/TIA-942). The data centre guarantees a 99.982% availability. The organisation has been accredited to their own ISO27001 standard.; ; Servers are regularly tested and maintained to a very high standard to ensure security of data and best practice principles are followed. Operating System (OS) patching is carried out monthly, unless a critical vulnerability is announced. CentOS is used for the Virtual Machines (VMs), which has a conservative upgrade philosophy, for stability. Application security updates are applied as released. Servers are maintained with firewalls and IP restrictions. Further information is available on request.; ; DDC have in place and utilise a documented, secure Disaster Recovery process, which will be used for all client data to maintain resilience. This includes key features:; ; • Spare office location; • Clearly documented recovery procedures for all of the key IT infrastructure components. ; • High availability, periodical and incremental backups.; • Spare hardware to minimise any potential delays in recovery.; • Dedicated lease line connection from the DDC offices ; ; DDC’s Business Continuity and Disaster Recovery Plans can be made available on request.
• Outage reporting: As DDC operate a continuous integration software workflow, regular maintenance windows are unnecessary. If downtime is required notifications are communicated through news channels to the user and applicant with a minimum of 2 week notice. During the downtime a failover page providing notice to the user is displayed. Downtime due to maintenance is scheduled outside of core working hours and will not be between 8am and 8pm Monday to Friday.; ; In the event of system downtime due to unexpected incidents, DDC utilise a failover page hosted on Amazon Web Services (i.e. independent from the main system). This allows notices to be raised about known issues affecting any aspect of the service. This page is then linked to the DDC public site (www.ddc.uk.net) which will display a news article about the issue and the response times. The DDC management team will update this News Article to confirm the phases of the response as per the Disaster Recover and Business Continuity Planning (DR & BCP).

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: User access is restricted through a hierarchy system ensuring that users only access data they are authorised to view. Access levels reflect the user’s role within the pre-employment checking process. This ensures that the user can perform all necessary tasks whilst maintaining the highest level of data security. ; ; Users are granted access through an agreed channel and authorisation process. Each user has unique credentials to access the system, with logging of all actions completed to ensure a complete audit trail is available. Authorised users can access a user report which highlights the level of access granted.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 02/08/2018
• What the ISO/IEC 27001 doesn’t cover: A.13.1.3 Segregation in networks is excluded. DDC only operate one network domain. ; A.14.2.7 Outsourced development. All DDC software is developed in house.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: TrustWave
• PCI DSS accreditation date: 28/08/2019
• What the PCI DSS doesn’t cover: DDC are fully PCI DSS compliant
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: DDC have ISO27001 Information Security Management Standard which applies to all areas of the business. As part of the requirements the business utilises a detailed wiki on the Core Policies of the business, together with specific Information Security policies and processes. This is regularly audited by a dedicated Information Security Manager, and supported by a working ISO Team. This team also ensure that all team members have undertaken the relevant training to their role within the business, which is updated annually. ; ; Included in the Information Security Management Standard (ISMS) is an extensive policy and process regarding business continuity planning (BCP) and disaster recovery (DR). ISO27001 is a requirement of e-bulk and the organisation incorporates data security considerations into all systems and processes. These policies and processes detail both the procedures and the physical systems which ensures organisations are provided with a resilient and robust system. Policies and procedures are reviewed twice per year, at a specifically convened Information Security Management Systems (ISMS) meeting. As part of this meeting the team run through disaster emulation to pro-actively test the processes and policies in place to ensure they are fit for purpose.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The Management and Development Team use a formal change control questionnaire for all large developments, as part of a larger project plan. This includes key questions about the business processes affected and a specific section about data security considerations. This six-stage project plan includes, kick off, design & planning, development, testing, deployment, monitoring and review & sign-off stages. The project management template ensures security considerations are evaluated and assessed at every stage of development. Any significant changes affecting clients are communicated through account managers or the Client Area News Feed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: DDC utilise a detailed risk analysis process which systematically details the hardware/ systems assets in place to generate a risk score. ; Each of the risks is evaluated and given a 'risk score' which must then be reviewed and accepted by the management team. As part of the ongoing investment in the system and ISO27001 accreditation these risks are evaluated each month, to ensure that the risk still exists, the technical solutions in place are still sufficient or if there are other technical solutions that can reduce the risk further.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Vulnerability scans are run monthly as part of the TrustWave PCI compliance system. Ad-hoc scans are run as required during the month, where any system updates are conducted. Annual Penetration tests are run with a certificate of conformity issued by ITGovernance. Any ‘areas for concern’ are emailed to company Directors with corresponding ISMS tasks generated.
• Incident management type: Supplier-defined controls
• Incident management approach: DDC utilise software (Jira) for the reporting and logging of incidents. Tasks are prioritised depending on the severity of the incident and allocate to the relevant department owner. Critical tasks are addressed immediately to reduce potential loss of availability and data exposure.; ; Depending on the nature of the event clients must first report the issue directly the Customer Service Team with specific details required to allow the emulation of the issue. Once replication has been achieved a work ticket is created as a defined ‘non-conformity’ ticket type, with a corresponding development ticket.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £5.00 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Full access is provided during the trial period. No specific time period is applied. All checks added to the system will be paid for in full. If the client decides not to go ahead, those applications already initiated will be completed.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.