The Access Group

Access Screening

Access Screening is one of the UK’s most respected background screening providers offering comprehensive vetting capabilities.

Harnessing state-of-the-art functionalities, Access Screening delivers a highly automated cost-effective, user-friendly compliance solution that is already integrated into Access's own front office CRM system and can be integrated into HR and recruitment platforms.

Features

• Screening technology platform, Cloud hosted
• Large array of screening checks including Financial, Criminal, RTW, International
• Real time dashboard, reports & live tracking
• Digitial Signing integration
• JSON API, Easy integration with ATS/HR systems
• Responsive User Interface - PC, Tablet, Mobile
• Self configuration available, Branding & White labelling
• PDF Export of Candidate Information & MI Reporting
• Full Audit history of actions & Flexible data collection configuration
• Right to Work App - Compatible with IOS & Android

Benefits

• Speeds up the recruitment process so placements are quicker
• Reduces your recruitment costs
• One stop shop screening compliance, no separate links to disclosures
• Great Candidate & User experience - Easy to use
• MI reports in real time
• Can be accessed from any location or device
• Assists with compliance and legislative changes
• Integration with front/back office solutions means less re-keying
• Automated data results allow swifter decisions
• Ticketing system, fast responses, no waiting in long call queues

£1 per transaction

• Education pricing available

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)

Framework

G-Cloud 11

Service ID

427197040842280

Contact

The Access Group

Richard Gyles

01206322575,3,2252

Richard.Gyles@theaccessgroup.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: ATS, Front Office CRM Recruitment Systems, HR & Payroll - front and/or back office
• Cloud deployment model: Private cloud
• Service constraints: Planned maintenance occurs between 11PM & 4AM Mon-Fri, 8AM & 5PM Sat-Sun. ; ; Notification 60 Hours ahead of time if more than 1 hours downtime expected.
• System requirements:
  • Current Web Browser (Receiving security updates)
  • Internet Access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: SLA's detailed in service agreement to ensure timely response
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Technology dependent
• Web chat accessibility testing: Freshworks / SalesForce Service Cloud Dependent
• Onsite support: Yes, at extra cost
• Support levels: Support Team - Ticketing System/Phone Support; Implementation Consultant - Initial set up/training; Account Manager - To include quarterley reviews, face to face meetings; Technical & Cloud Account Manager - if required; ; Escalations to:; Customer Success manager; Head of Access Screening
• Support available to third parties: No

Onboarding and offboarding

• Getting started: An implementation consultant is assigned to see project through to go-live, this includes training onsite & remote, manuals and system setup assistance.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: When termination notice is served a date will be agreed on which access will be revoked, and all data exported. Data will be represented as XML, individual JSON records & a directory structure containing static files. This will be supplied either via a secure transfer, or encrypted physical media.
• End-of-contract process: When termination notice is served a date will be agreed on which access will be revoked. Included in the contract price is a data extraction in our default format, any customisation to this format will be chargeable. Un-used credit balances will be refunded according to the contracted terms.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All functionality available on mobile & desktop devices.; The Right to Work App is downloadable from Apple Store, Google Play etc and is fully compatible with IOS and Android devices
• Service interface: No
• API: Yes
• What users can and can't do using the API: JSON API available for process initiation, completion polling & result (both as data & PDF export) gathering.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customisation/configuration can be accessed from within the system provided a User has the correct permission level:; Brands,; Workflows,; Check Types,; Turnaround Times,; Supplied Documents,; Requested Documents,; Candidate Questions,; Referee Questions/Ratings,; Brand logo & colours,; Emails and templates,; System Templates,; Validation Timings,; Users/Permissions with Password Resets

Scaling

• Independence of resources: Screening is a single instance / multi tenant application hosted on load balanced infrastructure with redundancy between scaling servers.

Analytics

• Service usage metrics: Yes
• Metrics types: Customers can review service usage in the system, via real time dashboards & MI reports. These show numbers of users, number of candidates, data checks, references submitted, etc.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: AWS RDS & S3 Encryption
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Individual Candidates available as PDF / JSON (Via API); ; Bulk meta-data via MI reports; ; Bulk data via XML Export, or data-export procedure as part of offboarding
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON (Via API)

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: AWS Security Groups define permitted intra-server connections

Availability and resilience

• Guaranteed availability: We will use commercially reasonable efforts to make the SaaS available 24 hours a day, seven days a week, except for unavailability during emergency or routine maintenance.
• Approach to resilience: Application hosted on multiply redundant virtual infrastructure, hardware managed by AWS. More details available on request.
• Outage reporting: Email Alerts & In-System Tooling

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: User Role / Permission system, and data segmentation within customer accounts. ; ; Nominated contacts within customers have escalation route.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus
• ISO/IEC 27001 accreditation date: 26/07/2018
• What the ISO/IEC 27001 doesn’t cover: Nothing is excluded.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: All controls included within Annex A of the ISO27001:2013 standard. Statement Of Applicability (SOA) available on request.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All change management in line with Secure Development Policy & IS27001, using ticketing system, automated tests & staged release process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Both Application and Infrastructure subject to regular penetration & load testing. All servers have unattended-upgrades enabled for automatic installation of security updates. Logs retained in write-only storage & regularly reviewed. All physical infrastructure managed by Amazon.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Real-time monitoring and alerting enabled of application and all server infrastructure. Traffic, Load, Database Performance & API Volume via Dashboards. Response time derived from severity, details in Service Level Agreements contract section.
• Incident management type: Supplier-defined controls
• Incident management approach: We operate a robust incident management process in line with ISO27001: Staff are encouraged to report all incidents using a pre-defined process using a form available on our Company Intranet site. Incident reports will be provided following forensics and closure.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £1 per transaction
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)
• Modern Slavery statement (pdf)