GOV.UK
Access Screening
Access Screening is one of the UK’s most respected background screening providers offering comprehensive vetting capabilities.
Harnessing state-of-the-art functionalities, Access Screening delivers a highly automated cost-effective, user-friendly compliance solution that is already integrated into Access's own front office CRM system and can be integrated into HR and recruitment platforms.
Features
- Screening technology platform, Cloud hosted
- Large array of screening checks including Financial, Criminal, RTW, International
- Real time dashboard, reports & live tracking
- Digitial Signing integration
- JSON API, Easy integration with ATS/HR systems
- Responsive User Interface - PC, Tablet, Mobile
- Self configuration available, Branding & White labelling
- PDF Export of Candidate Information & MI Reporting
- Full Audit history of actions & Flexible data collection configuration
- Right to Work App - Compatible with IOS & Android
Benefits
- Speeds up the recruitment process so placements are quicker
- Reduces your recruitment costs
- One stop shop screening compliance, no separate links to disclosures
- Great Candidate & User experience - Easy to use
- MI reports in real time
- Can be accessed from any location or device
- Assists with compliance and legislative changes
- Integration with front/back office solutions means less re-keying
- Automated data results allow swifter decisions
- Ticketing system, fast responses, no waiting in long call queues
Pricing
£1 per transaction
- Education pricing available
Service documents
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Framework
G-Cloud 11
Service ID
427197040842280
Contact
Service scope
| Software add-on or extension | Yes, but can also be used as a standalone service |
| What software services is the service an extension to | ATS, Front Office CRM Recruitment Systems, HR & Payroll - front and/or back office |
| Cloud deployment model | Private cloud |
| Service constraints |
Planned maintenance occurs between 11PM & 4AM Mon-Fri, 8AM & 5PM Sat-Sun. Notification 60 Hours ahead of time if more than 1 hours downtime expected. |
| System requirements |
|
User support
| Email or online ticketing support | Email or online ticketing |
| Support response times | SLA's detailed in service agreement to ensure timely response |
| User can manage status and priority of support tickets | Yes |
| Online ticketing support accessibility | None or don’t know |
| Phone support | Yes |
| Phone support availability | 9 to 5 (UK time), Monday to Friday |
| Web chat support | Yes, at an extra cost |
| Web chat support availability | 9 to 5 (UK time), Monday to Friday |
| Web chat support accessibility standard | None or don’t know |
| How the web chat support is accessible | Technology dependent |
| Web chat accessibility testing | Freshworks / SalesForce Service Cloud Dependent |
| Onsite support | Yes, at extra cost |
| Support levels |
Support Team - Ticketing System/Phone Support Implementation Consultant - Initial set up/training Account Manager - To include quarterley reviews, face to face meetings Technical & Cloud Account Manager - if required Escalations to: Customer Success manager Head of Access Screening |
| Support available to third parties | No |
Onboarding and offboarding
| Getting started | An implementation consultant is assigned to see project through to go-live, this includes training onsite & remote, manuals and system setup assistance. |
| Service documentation | Yes |
| Documentation formats |
|
| End-of-contract data extraction | When termination notice is served a date will be agreed on which access will be revoked, and all data exported. Data will be represented as XML, individual JSON records & a directory structure containing static files. This will be supplied either via a secure transfer, or encrypted physical media. |
| End-of-contract process | When termination notice is served a date will be agreed on which access will be revoked. Included in the contract price is a data extraction in our default format, any customisation to this format will be chargeable. Un-used credit balances will be refunded according to the contracted terms. |
Using the service
| Web browser interface | Yes |
| Supported browsers |
|
| Application to install | No |
| Designed for use on mobile devices | Yes |
| Differences between the mobile and desktop service |
All functionality available on mobile & desktop devices. The Right to Work App is downloadable from Apple Store, Google Play etc and is fully compatible with IOS and Android devices |
| API | Yes |
| What users can and can't do using the API | JSON API available for process initiation, completion polling & result (both as data & PDF export) gathering. |
| API documentation | Yes |
| API documentation formats |
|
| API sandbox or test environment | Yes |
| Customisation available | Yes |
| Description of customisation |
Customisation/configuration can be accessed from within the system provided a User has the correct permission level: Brands, Workflows, Check Types, Turnaround Times, Supplied Documents, Requested Documents, Candidate Questions, Referee Questions/Ratings, Brand logo & colours, Emails and templates, System Templates, Validation Timings, Users/Permissions with Password Resets |
Scaling
| Independence of resources | Screening is a single instance / multi tenant application hosted on load balanced infrastructure with redundancy between scaling servers. |
Analytics
| Service usage metrics | Yes |
| Metrics types | Customers can review service usage in the system, via real time dashboards & MI reports. These show numbers of users, number of candidates, data checks, references submitted, etc. |
| Reporting types |
|
Resellers
| Supplier type | Not a reseller |
Staff security
| Staff security clearance | Conforms to BS7858:2012 |
| Government security clearance | Up to Baseline Personnel Security Standard (BPSS) |
Asset protection
| Knowledge of data storage and processing locations | Yes |
| Data storage and processing locations |
|
| User control over data storage and processing locations | No |
| Datacentre security standards | Complies with a recognised standard (for example CSA CCM version 3.0) |
| Penetration testing frequency | At least once a year |
| Penetration testing approach | ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider |
| Protecting data at rest |
|
| Other data at rest protection approach | AWS RDS & S3 Encryption |
| Data sanitisation process | Yes |
| Data sanitisation type |
|
| Equipment disposal approach | A third-party destruction service |
Data importing and exporting
| Data export approach |
Individual Candidates available as PDF / JSON (Via API) Bulk meta-data via MI reports Bulk data via XML Export, or data-export procedure as part of offboarding |
| Data export formats |
|
| Other data export formats |
|
| Data import formats |
|
| Other data import formats | JSON (Via API) |
Data-in-transit protection
| Data protection between buyer and supplier networks | TLS (version 1.2 or above) |
| Data protection within supplier network |
|
| Other protection within supplier network | AWS Security Groups define permitted intra-server connections |
Availability and resilience
| Guaranteed availability | We will use commercially reasonable efforts to make the SaaS available 24 hours a day, seven days a week, except for unavailability during emergency or routine maintenance. |
| Approach to resilience | Application hosted on multiply redundant virtual infrastructure, hardware managed by AWS. More details available on request. |
| Outage reporting | Email Alerts & In-System Tooling |
Identity and authentication
| User authentication needed | Yes |
| User authentication |
|
| Access restrictions in management interfaces and support channels |
User Role / Permission system, and data segmentation within customer accounts. Nominated contacts within customers have escalation route. |
| Access restriction testing frequency | At least every 6 months |
| Management access authentication |
|
Audit information for users
| Access to user activity audit information | Users have access to real-time audit information |
| How long user audit data is stored for | At least 12 months |
| Access to supplier activity audit information | Users have access to real-time audit information |
| How long supplier audit data is stored for | At least 12 months |
| How long system logs are stored for | At least 12 months |
Standards and certifications
| ISO/IEC 27001 certification | Yes |
| Who accredited the ISO/IEC 27001 | Alcumus |
| ISO/IEC 27001 accreditation date | 26/07/2018 |
| What the ISO/IEC 27001 doesn’t cover | Nothing is excluded. |
| ISO 28000:2007 certification | No |
| CSA STAR certification | No |
| PCI certification | No |
| Other security certifications | No |
Security governance
| Named board-level person responsible for service security | Yes |
| Security governance certified | Yes |
| Security governance standards | ISO/IEC 27001 |
| Information security policies and processes | All controls included within Annex A of the ISO27001:2013 standard. Statement Of Applicability (SOA) available on request. |
Operational security
| Configuration and change management standard | Supplier-defined controls |
| Configuration and change management approach | All change management in line with Secure Development Policy & IS27001, using ticketing system, automated tests & staged release process. |
| Vulnerability management type | Supplier-defined controls |
| Vulnerability management approach | Both Application and Infrastructure subject to regular penetration & load testing. All servers have unattended-upgrades enabled for automatic installation of security updates. Logs retained in write-only storage & regularly reviewed. All physical infrastructure managed by Amazon. |
| Protective monitoring type | Supplier-defined controls |
| Protective monitoring approach | Real-time monitoring and alerting enabled of application and all server infrastructure. Traffic, Load, Database Performance & API Volume via Dashboards. Response time derived from severity, details in Service Level Agreements contract section. |
| Incident management type | Supplier-defined controls |
| Incident management approach | We operate a robust incident management process in line with ISO27001: Staff are encouraged to report all incidents using a pre-defined process using a form available on our Company Intranet site. Incident reports will be provided following forensics and closure. |
Secure development
| Approach to secure software development best practice | Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0) |
Public sector networks
| Connection to public sector networks | No |
Pricing
| Price | £1 per transaction |
| Discount for educational organisations | Yes |
| Free trial available | No |