VERIFILE LIMITED

Employment Screening, Disclosure & Barring Service DBS Checks and BPSS Baseline Vetting copy

Employment screening, BPSS (Baseline) vetting and DBS / CRB services. Verifile's secure vetting platform enables employers to select global background check services. Integration with DBS Disclosure and Barring Service ensure the fastest turnaround for UK criminal record checks. Authenticating all data sources for staff vetting detects fake references and qualifications.

Features

  • RANGE OF QUICK CHECKS SUPPORTING EMPLOYERS WITH VETTING DURING PANDEMIC
  • Queen's Award-winning cloud-based background screening and BPSS vetting
  • Full range of DBS checks and global background screening services
  • Accessibility upgrade - WCAG2.1, ADA (Section 508) and EN301549 compliant
  • Loaded with validation tools to ensure accuracy/minimise user errors
  • Fast flexible set-up, with integrated DBS criminal record checks
  • Dedicated Client and Candidate Support Teams for all vetting services
  • 100% UK-based operation and data storage
  • All data sources and vetting subjects fully researched and authenticated
  • Online MI reports and analytics for DBS and BPSS services

Benefits

  • Fastest DBS vetting turnaround times due to lowest error rate
  • 50% of Basic DBS (CRB) results received within 24 hours
  • Place orders, track progress and view staff vetting results online
  • Integrate with your ATS or HR system for increased efficiencies
  • Stay up-to-date with customisable email notifications/status updates
  • Personalised candidate messaging, your account branded with your logo
  • Reducing risk with GDPR-compliant and compliant criminal record checking service
  • Robust BPSS (Baseline) screening reports enable informed recruitment decisions
  • 20 languages spoken in-house ensures extensive global reach
  • Direct DBS Disclosure and Barring Service integration means fastest results

Pricing

£2.50 a transaction

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@verifile.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

4 7 6 7 2 2 0 6 0 1 2 3 7 2 2

Contact

VERIFILE LIMITED Tom Bell-Green
Telephone: +44 (0) 1234 608090
Email: sales@verifile.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
  • Community cloud
  • Hybrid cloud
Service constraints
No
System requirements
N/A

User support

Email or online ticketing support
Email or online ticketing
Support response times
We encourage clients and candidates to call for instant support. However, our internal SLA is to respond to emails from clients and candidates within 4 working hours.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Verifile operates with three teams supporting our clients. Two distinctly separate levels of client support, as well as a dedicated team whose sole role is to support the applicants/candidates.

For Managed Accounts, your Account Manager provides stakeholders with information, support and guidance regarding your employment screening programme. The AM will provide Account Governance, regular review meetings, consultation and guidance, project management, MI reports and account analysis.

For Unmanaged Accounts, your team will be supported by Verifile’s highly experienced Customer Service Manager (in place of an account manager) and his dedicated Client and Candidate Support Teams for day-to-day enquiries and requests.

There is no cost for account support.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We recommend that Verifile deliver training on the screening process before going live to all staff that will have interaction with Verifile.

Verifile’s system is intuitive and easy to master, particularly from the client facing perspective. Training and re-training sessions can be scheduled via web conference at any stage and will typically take just 30 minutes to complete, including Q&As.

Depending on the number of users requiring training, initial training can typically be delivered on-site as part of the implementation process, however any subsequent user training or refresher sessions would typically be delivered by web meetings.

Users are provided access to videos and soft copies of user guides as part of the welcome pack. These can also be downloaded from the Verifile platform’s document library at any time to help new users when joining the team. We also provide access to our interactive system training demo, which can also be adopted to support a train-the-trainer approach.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
Data for Integration Purposes
End-of-contract data extraction
We can provide copies of final reports in the existing pdf format and on other media requested, as long as this meets with legal and our own business obligations to ensure the security of data.

These reports can be downloaded directly from our platform at any time or transferred via other means such as SFTP. File notes, full audit history, original reference copies and all other information held on the Verifile system can be provided as raw data.

Part of the leaving process will be to create an information asset register so all data held by Verifile is identified and a decision made on retention, transfer or disposal. We will need to retain a certain amount of ‘skeleton data’ in order to fulfil its legal and auditing obligations but none will include personal identifiable information about your candidates.

Once the demobilisation plan has been executed, we will provide written confirmation to that effect.
End-of-contract process
Demobilisation Plan - All data held on our system, including pdf final reports, can be provided to you. A secure method of transfer would need to be utilised due to the personal information held and the volume of data. As long as we continue to receive orders from you we will continue to fulfil them in line with the agreed packages and SLA. All clients’ orders experience the same high level of service, irrespective of whether any particular client has expressed their intention to transition away from Verifile.

Technical support will be available to assist with the transfer of data and any other needs that may be identified in transition planning discussions and we have a defined leaver’s process which would be executed jointly with yourselves. The process includes ensuring that all user accesses are closed, and decisions are made on the retention, transfer or deletion of data. We ask that leaving clients provide feedback on our service to help us continually review and refine our service.

We would also be open to working with new suppliers during transition and would provide any assistance required.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None
Service interface
No
API
Yes
What users can and can't do using the API
Verifile’s RESTful API uses JSON to transfer data to a third-party system. Buyers typically connect their Applicant Tracking System (ATS) with our system - the Verifile API was designed for this purpose. Buyers use our API to automate their authentication and background check (incl. DBS) processes without needing to run on two separate platforms.

The Verifile API offers access to ~800 different background checks worldwide and the option to set up customisable packages for easier deployment.

Buyers can integrate part of or the full workflow: Placing orders, tracking statuses, monitoring progress, obtaining results and final reports.

Orders can be raised as "client entry" (you have all the data and consent to start checks) or "candidate entry". Supporting documentation can be uploaded to an order.

We use Azure API Management (APIM) which handles user authentication and key management.

Our Developer Documentation site (https://developer.verifile.co.uk/) provides your team with detailed information on:

Registration to obtain keys,
Live & Test API,
Headers,
Raising orders,
Order statuses,
Final reports,
Packages,
Attachments,
Helper methods,
Error messages.

When your development team is ready, access to a sandbox environment will be provided to complete test scenarios whilst you are building the integration.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Users can choose to customise the way API works in as much as they can choose to integrate parts of or the full workflow.

Buyers can configure the service account in a variety of different ways. For example, users can choose:
- from Standard, Enhanced and VIP service levels
- client-entry, or candidate-entry of data fields and consent
- to place orders via API or via our online portal
- a la carte self-service, or selecting from pre-determined packages of checks for quick ordering of background checks
- different variations for many of our checks. For example, we offer 3 alternative routes for confirming identity for your DBS criminal record checks, including a Post Office DBS ID verification service, and various different levels of international criminal record checks for many countries.

The account structure is also easily customised to suit any organisation and hierarchy. Individual permissions, sub-accounts, branches, locations, departments, etc. can all be accommodated.

Even individual users can customise their own notifications, alerts, and MI reporting frequency.

Scaling

Independence of resources
Local office systems are monitored for capacity with monthly reports produced by Aztech IT Solutions. Hosted systems are monitored by Rackspace and automated capacity threshold notification systems are in place. The Verifile Development Team reviews application, database, system and server logs each week along with checking and recording current server capacities on an internal record keeping system.

Analytics

Service usage metrics
Yes
Metrics types
We can provide a range of metrics to support the buyer.
Examples of what we can provide in a formal review of KPIs include:
• Candidate Age Range
• Candidate Nationality
• Candidate Submission Times
• Individual Check Orders
• Individual Check Results
• Individual Check Completion Times (i.e. for DBS checks)
• Overall Order Completion Times (i.e. for BPSS screening packages)
• Overall Orders Placed Per Month
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Via API, via MI reports, or via download from the Verifile online portal.
Data export formats
  • CSV
  • Other
Other data export formats
Users can also export data via the API
Data import formats
  • CSV
  • Other
Other data import formats
  • Bulk upload data can be provided to us via CSV
  • Data can be provided via API / JSON
  • Photos and scanned documents in JPG/JPEG

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
SSL, as users typically interact with Verifile's web application, not email.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We aim for 99.9% availability and last year achieved 99.97%
Approach to resilience
Available on Request
Outage reporting
4-hour warning with count-down for planned outages.
Updates are communicated to clients via email and via messaging on the extranet (Client Portal).

Identity and authentication

User authentication needed
Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Access to production system is via unique accounts, there are no shared accounts. All access is logged, including to the hosted systems not via the application interface, and logs are reviewed weekly. Verifile have implemented Reblaze Web Application Firewall (WAF). The WAF continuously monitors traffic using a variety of methods including; threat blacklisting, bot identification algorithms, header, form, and field policy enforcement, HTTP error triggering, resource consumption thresholds, schema validation, content evaluation, minefields and honeypots, signatures, IP address allocation maps, TOR network mapping, progressive challenge mechanisms, argument limitations, RFC compliance, nested encoding detection, method filtering, payload inspection and behavioural analysis.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication
IP Whitelisting

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR
ISO/IEC 27001 accreditation date
24/01/2019
What the ISO/IEC 27001 doesn’t cover
N/A - This industry standard applies to all elements of the Verifile group.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials Plus
  • NSI Gold for Security Vetting
  • ISO 22301 Business Continuity Management Systems

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We adhere to:

The Data Protection Act (1998)
Copyright, Designs and Patents Act (1988)
Computer Misuse Act (1990)
Regulation of Investigatory Powers Act (2000)
Human Rights Act (2000)

Further information is available upon request within our Data Security Policy Document.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
• Compliant with extant Verifile coding standards.

• Subject to a design review against the Open Web Application Security Project (OWASP) Top 10 most critical web application security risks.

• Follow Microsoft guidelines for ASP.NET Web App Security.

• Reviewed by another developer.

• Tested in accordance with the formal testing process.

The components are tracked through being outsourced to Rackspace and Aztech IT Solutions.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

All anti-virus and relevant security updates and service packs are applied as soon as they are released, evaluated and tested.

AV software is installed on the live production servers and managed by Rackspace.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

Alerting and monitoring is in place 24x7 for both the live application hosting environment and the local Verifile IT estate.

Verifile will work with you to agree a formal incident reporting and response plan including relevant points of contact.
Incident management type
Supplier-defined controls
Incident management approach
Verifile will alert the customer to incidents according to our Incident Management Policy.

It is the responsibility of the Information Security Manager to commission security investigations as deemed necessary by them.

As part of Verifile’s commitment to ISO27001 and ISO9001 certification, reporting of Information Security weaknesses is encouraged from all personnel and recorded under the ISO9001 system for Corrective and Preventive Action.

The reporting of Information Security weaknesses is encouraged from all personnel. All relevant incidents are recorded under the ISO 9001 system for Corrective and Preventive Action.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£2.50 a transaction
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
To help the UK during this pandemic Verifile is offering FREE DBS Checks for emergency workers. The service is for all emergency health and social care workers supporting the NHS in providing care and treatment for the Covid-19.
Link to free trial
https://library.verifile.co.uk/free-dbs-checks

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@verifile.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.