GatenbySanderson Ltd

GatenbySanderson Competency based Applicant Tracking System (ATS)

End to end applicant tracking (ATS) system, deploying evidence based competency questions. Ideal for senior recruitment/assessment or high volume campaigns when targeting specific competencies. Ability to tailor to reflect organisational competencies / values. Configurable eligibility criteria to encourage self-selection. Dedicated, multi-user client portal with sift, candidate management and reporting tools.


  • Ability to assess candidates against organisational values or competencies
  • Mobile responsive, branded website and URL
  • Eligibility/killer question facility to encourage self-selection in or out
  • Online CV & qualifications builder
  • Word limit/count feature plus ‘Save and continue later’ feature
  • Dedicated, secure portal providing end to end campaign management
  • Online sift facility with individual and benchmark scoring system
  • Randomisation of candidate answers capability to eliminate unconscious bias
  • All monitoring data captured e.g. diversity, reportable at any stage
  • Automated, customisable real time reporting, anonymised if required


  • Limited training required
  • Reduced cost to hire increases internal efficiencies
  • Encourages diversity and reduces possibilities for bias
  • Brand building by providing a positive candidate experience
  • Reduces processing risk for high profile/high value/high volume appointments
  • System can be configured to suit your needs
  • Intuitive design and navigation with clean, uncluttered interface
  • Instant reporting to support internal review and monitoring
  • Provides a transparent and fully auditable recruitment process
  • Benchmark criteria can be configured


£15000 per unit

  • Education pricing available

Service documents


G-Cloud 11

Service ID

4 7 1 3 1 4 4 7 8 6 8 4 8 2 4


GatenbySanderson Ltd

Charlotte Jourdon

07530 578920

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints We keep service down-time to a minimum. If we need to schedule server maintenance, we display a prominent banner on all our websites, advising of maintenance for a minimum of 24 hours prior, and schedule maintenance for out-of-hours (generally after 11pm). We plan ahead to ensure we identify timeframes that avoid or minimise client or user disruption.
System requirements A modern web-browser with javascript enabled

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within business hours 9am - 5.30pm weekdays, within a few days
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We can offer a varied level of support depending upon the client requirements. This could relate to configuration options, customisation requirements or assistance relating to execution of activity. We provide a technical account manager and prices will be a cost per hour basis, dependent upon the seniority of personnel required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started An account and project manager are assigned to each new client project. The project plan will include the process for launch. Configuration requires limited input from the client. The ATS is intuitive and no training is required for users. Telephone / online training support is available if needed. Post launch, the account team are available to answer any questions or provide support to ensure successful implementation of the system.
Service documentation No
End-of-contract data extraction At the end of any contract, we can provide CSV files of relevant data. Where individual data is required to be deleted, we retain anonymous, aggregate data for benchmarking and reporting purposes.
End-of-contract process At the end of the contract, we remove user access to the system and can provide csv data as required, as well as a copy of any website content.

We can continue to host the website and domain name if the client wishes at an annual cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Uses a responsive-html design that scales and re-layouts the design for mobile and tablet users.
Service interface No
Customisation available Yes
Description of customisation We offer two levels of customisation - our standard product offers customisation in terms of branding, site content and competency questions asked. Eligibility questions can also be tailored.

Additionally, at an extra cost, clients can request additional functionality or customisation to match the specific needs of their recruitment process. Custom reports are also available for data that needs to be presented in a particular format.

Different levels of service support are also offered.
Content review
Report customisation


Independence of resources We review each project to gauge expected load and determine whether separate server(s) are required or whether a shared server is more cost effective for the client. We routinely monitor the performance of server(s) and take appropriate action to negate any potential disruption.


Service usage metrics Yes
Metrics types We provide a dedicated client portal where authorised users can access real time information, in terms of applicants numbers, scores/grades, progression of applicants, equal opportunities data collected as well as detailed questions we may ask applicants.
In addition, we provide Google analytics metrics for client branded microsites providing, user analysis, content, geography and other useful information that might inform future campaign strategies.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Data submitted by candidates can only be accessed and/or modified by themselves (requiring a username and password) or within our administration system (requiring a username password).
Passwords are encrypted with bcrypt hashing.
Files (CV's etc) are not encrypted but are stored well outside of web-root and through access-control code so they can only be accessed by authorized users (the candidate for their own documents or by admin users).
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Applicant data can be exported as CSV files.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our service commitment is 99.9% during standard office hours. If we fail to reach this level, we would consider the impact upon the client business and agree a level of compensation based upon refunding monthly subscription charges
Approach to resilience We have a real-time replication of database and files to fall-back server(s). Rackspace also take a nightly tape backup. Automatic failover to another server is currently not automatic, though we are working towards this. We have never had any un-planned downtime/outage.
Outage reporting For any outages, we would promptly contact affected clients by telephone or email (depending on time and severity). Public notification would be via our twitter account, and if possible our website(s).

Once an outage has been resolved we will investigate the cause and provide an explanation of what happened, with a timeline, and what changes we will be making to avoid a similar outage in future.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels We have a separate internal administration system, currently this is username/password based (with password strength enforced with 'zxcvbn'). Some parts of the system currently require a signed client-side certificate to view.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials Certified

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials Certified
Information security policies and processes We have Data Protection and Data Security Policies that form part of each employee's formal induction process as well as maintaining an ongoing risk register. Additionally, we communicate any ongoing requirements to protect ourselves from vulnerabilities. This includes reminders about the use and care of laptops and mobiles, the importance of password security (which must be changed every 6 weeks).

More formally, colleagues are warned of the potential disciplinary action of failing to adhere to these policies and procedures which could result in the termination of employment. As soon as colleagues leave the business, we terminate access rights and delete accounts.

All admin pages and logins are via HTTPS and we use HSTS to warn users against attempted man-in-the-middle attacks/insecure internet connections.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change requests and bug reports are directed to defined product owners who evaluate, prioritise and document changes adding them to product backlogs, which are then scheduled into the development cycle.

Code is versioned and branched in a git repository, following the Git-Flow practice of feature branches pull-requested into a develop branch, and releases performed on the master branch. Merges into develop and master branches (and deployment to servers) are restricted to the head of development. Testing is performed on the developers own machines (using virtual machines) and on a staging server before deployment to live servers.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We pro-actively gather information on potential threats from email subscriptions to & , along with regular checks of

New alerts are assessed for if they affect us; For deployment, we use Redhat Enterprise Linux and use LTS versions of packages - rackspace automatically apply patches to servers at least daily, for zero-day exploits if there is a way of mitigating against them (eg rewrite-rules, config changes) we will generally apply protection to the servers ourselves asap. We will then audit servers to confirm that exploit hadn't been used against us.
Protective monitoring type Supplier-defined controls
Protective monitoring approach In terms of our web server, Rackspace monitor access to the servers and inform us immediately if they see any suspicious behaviour. We routinely audit SSH logins and server errors to identify suspicious behaviour.

We are registered with relevant news sites/forums that quickly identify vulnerabilities. We have a fast action response where the Head of Development will allocate and oversee resource to close off any vulnerabilities. We engage external experts where required to advise us. We expect to respond within 1 hour during working hours to any alert and within 12 hours at other times.
Incident management type Supplier-defined controls
Incident management approach Users report incidents via phone & email and these are forwarded directly to the Development team.

We deploy the development team to investigate incidents, exploits or areas of vulnerability and whether a breach as occurred. Vulnerabilities are closed. We have a central breach register, which documents a formal communications plan to inform individuals, organisations and regulators of the potential compromise.

Breaches of security are formally reported at Board Level and documented in monthly board reports. Remedial action required is agreed and executed within specific timeframes. Learnings are documented and any change to best practice implemented.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £15000 per unit
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑