GatenbySanderson Competency based Applicant Tracking System (ATS)
End to end applicant tracking (ATS) system, deploying evidence based competency questions. Ideal for senior recruitment/assessment or high volume campaigns when targeting specific competencies. Ability to tailor to reflect organisational competencies / values. Configurable eligibility criteria to encourage self-selection. Dedicated, multi-user client portal with sift, candidate management and reporting tools.
- Ability to assess candidates against organisational values or competencies
- Mobile responsive, branded website and URL
- Eligibility/killer question facility to encourage self-selection in or out
- Online CV & qualifications builder
- Word limit/count feature plus ‘Save and continue later’ feature
- Dedicated, secure portal providing end to end campaign management
- Online sift facility with individual and benchmark scoring system
- Randomisation of candidate answers capability to eliminate unconscious bias
- All monitoring data captured e.g. diversity, reportable at any stage
- Automated, customisable real time reporting, anonymised if required
- Limited training required
- Reduced cost to hire increases internal efficiencies
- Encourages diversity and reduces possibilities for bias
- Brand building by providing a positive candidate experience
- Reduces processing risk for high profile/high value/high volume appointments
- System can be configured to suit your needs
- Intuitive design and navigation with clean, uncluttered interface
- Instant reporting to support internal review and monitoring
- Provides a transparent and fully auditable recruitment process
- Benchmark criteria can be configured
£15000 per unit
- Education pricing available
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Service constraints||We keep service down-time to a minimum. If we need to schedule server maintenance, we display a prominent banner on all our websites, advising of maintenance for a minimum of 24 hours prior, and schedule maintenance for out-of-hours (generally after 11pm). We plan ahead to ensure we identify timeframes that avoid or minimise client or user disruption.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Within business hours 9am - 5.30pm weekdays, within a few days|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||We can offer a varied level of support depending upon the client requirements. This could relate to configuration options, customisation requirements or assistance relating to execution of activity. We provide a technical account manager and prices will be a cost per hour basis, dependent upon the seniority of personnel required.|
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||An account and project manager are assigned to each new client project. The project plan will include the process for launch. Configuration requires limited input from the client. The ATS is intuitive and no training is required for users. Telephone / online training support is available if needed. Post launch, the account team are available to answer any questions or provide support to ensure successful implementation of the system.|
|End-of-contract data extraction||At the end of any contract, we can provide CSV files of relevant data. Where individual data is required to be deleted, we retain anonymous, aggregate data for benchmarking and reporting purposes.|
At the end of the contract, we remove user access to the system and can provide csv data as required, as well as a copy of any website content.
We can continue to host the website and domain name if the client wishes at an annual cost.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Uses a responsive-html design that scales and re-layouts the design for mobile and tablet users.|
|Description of customisation||
We offer two levels of customisation - our standard product offers customisation in terms of branding, site content and competency questions asked. Eligibility questions can also be tailored.
Additionally, at an extra cost, clients can request additional functionality or customisation to match the specific needs of their recruitment process. Custom reports are also available for data that needs to be presented in a particular format.
Different levels of service support are also offered.
|Independence of resources||We review each project to gauge expected load and determine whether separate server(s) are required or whether a shared server is more cost effective for the client. We routinely monitor the performance of server(s) and take appropriate action to negate any potential disruption.|
|Service usage metrics||Yes|
We provide a dedicated client portal where authorised users can access real time information, in terms of applicants numbers, scores/grades, progression of applicants, equal opportunities data collected as well as detailed questions we may ask applicants.
In addition, we provide Google analytics metrics for client branded microsites providing, user analysis, content, geography and other useful information that might inform future campaign strategies.
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Other|
|Other data at rest protection approach||
Data submitted by candidates can only be accessed and/or modified by themselves (requiring a username and password) or within our administration system (requiring a username password).
Passwords are encrypted with bcrypt hashing.
Files (CV's etc) are not encrypted but are stored well outside of web-root and through access-control code so they can only be accessed by authorized users (the candidate for their own documents or by admin users).
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Applicant data can be exported as CSV files.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Our service commitment is 99.9% during standard office hours. If we fail to reach this level, we would consider the impact upon the client business and agree a level of compensation based upon refunding monthly subscription charges|
|Approach to resilience||We have a real-time replication of database and files to fall-back server(s). Rackspace also take a nightly tape backup. Automatic failover to another server is currently not automatic, though we are working towards this. We have never had any un-planned downtime/outage.|
For any outages, we would promptly contact affected clients by telephone or email (depending on time and severity). Public notification would be via our twitter account, and if possible our website(s).
Once an outage has been resolved we will investigate the cause and provide an explanation of what happened, with a timeline, and what changes we will be making to avoid a similar outage in future.
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||We have a separate internal administration system, currently this is username/password based (with password strength enforced with 'zxcvbn'). Some parts of the system currently require a signed client-side certificate to view.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Certified|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||Cyber Essentials Certified|
|Information security policies and processes||
We have Data Protection and Data Security Policies that form part of each employee's formal induction process as well as maintaining an ongoing risk register. Additionally, we communicate any ongoing requirements to protect ourselves from vulnerabilities. This includes reminders about the use and care of laptops and mobiles, the importance of password security (which must be changed every 6 weeks).
More formally, colleagues are warned of the potential disciplinary action of failing to adhere to these policies and procedures which could result in the termination of employment. As soon as colleagues leave the business, we terminate access rights and delete accounts.
All admin pages and logins are via HTTPS and we use HSTS to warn users against attempted man-in-the-middle attacks/insecure internet connections.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Change requests and bug reports are directed to defined product owners who evaluate, prioritise and document changes adding them to product backlogs, which are then scheduled into the development cycle.
Code is versioned and branched in a git repository, following the Git-Flow practice of feature branches pull-requested into a develop branch, and releases performed on the master branch. Merges into develop and master branches (and deployment to servers) are restricted to the head of development. Testing is performed on the developers own machines (using virtual machines) and on a staging server before deployment to live servers.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
We pro-actively gather information on potential threats from email subscriptions to http://cve.mitre.org & https://www.us-cert.gov/ncas/alerts , along with regular checks of https://www.reddit.com/r/netsec.
New alerts are assessed for if they affect us; For deployment, we use Redhat Enterprise Linux and use LTS versions of packages - rackspace automatically apply patches to servers at least daily, for zero-day exploits if there is a way of mitigating against them (eg rewrite-rules, config changes) we will generally apply protection to the servers ourselves asap. We will then audit servers to confirm that exploit hadn't been used against us.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
In terms of our web server, Rackspace monitor access to the servers and inform us immediately if they see any suspicious behaviour. We routinely audit SSH logins and server errors to identify suspicious behaviour.
We are registered with relevant news sites/forums that quickly identify vulnerabilities. We have a fast action response where the Head of Development will allocate and oversee resource to close off any vulnerabilities. We engage external experts where required to advise us. We expect to respond within 1 hour during working hours to any alert and within 12 hours at other times.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Users report incidents via phone & email and these are forwarded directly to the Development team.
We deploy the development team to investigate incidents, exploits or areas of vulnerability and whether a breach as occurred. Vulnerabilities are closed. We have a central breach register, which documents a formal communications plan to inform individuals, organisations and regulators of the potential compromise.
Breaches of security are formally reported at Board Level and documented in monthly board reports. Remedial action required is agreed and executed within specific timeframes. Learnings are documented and any change to best practice implemented.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£15000 per unit|
|Discount for educational organisations||Yes|
|Free trial available||No|