PASS Technology

Warrantor - Vetting and Screening Solution

PASS Warrantor is a full-service background checking solution for Government, Defence, public sector organisations and police forces. Our fully customisable software gives you the ability to retain control and visibility of your background checking process in-house whilst our cutting edge technology helps to drive efficiencies in your process.


  • Manages screening workflow for clearances
  • GDPR Compliant
  • Customisable workflows
  • Customisable interface
  • Customisable templates
  • After care checks managed within system
  • Dynamic applicant portal to ensure only minimum data is gathered
  • Full audit trails and reporting
  • Biometric identity verification
  • Machine learning built in


  • Gain full control over vetting processes and workflows
  • Achieve high levels of compliance
  • Cost reduction and improved ROI
  • Automatic validation of incoming data removes error
  • TODO lists and workbenches focus user activity
  • Online candidate portal removes back-office admin
  • Can be accessed from any location or device
  • Integration of ATS systems means less re-keying
  • Provides comprehensive reporting and analysis
  • Enables multi-force collaboration


£175 to £175 per user per month

Service documents


G-Cloud 11

Service ID

4 8 4 4 0 5 7 3 4 8 0 5 0 7 7


PASS Technology

Gareth Downing

+44(0) 3301 132 361

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints Planned maintenance can occur 6pm-8am Mon-Fri, 8am-5pm Sat/Sun.

Any downtime is arranged in advance with clients at a mutually agreeable date and time slot.
System requirements
  • WEB browser (with security updates)
  • Internet Access

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Dependent upon priority. Standard SLAs are as follows:

P1 - Customer operations are significantly affected - Response: Hourly updates, Resolution:Emergency service pack or workaround

P2 - A minor function of the solution is inoperable - Response: 1 Day, Resolution:Next planned service pack

P3 - A problem is detected that has minimal impact on daily operations - Response: 2 business days, Resolution : Next planned release

P4 - A cosmetic issue - Response 5 business days, Resolution: Next user group review
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support Team – Ticketing System / Phone Support
Implementation Consultant – Initial setup and training
Account Manager – Quarterly business reviews, face to face meetings, first point of call
Service Delivery Manager – Monthly service reviews
Technical project manager – as required

Escalation points
Service Desk -> Service Delivery Manager
Service Delivery Manger -> CTO
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started As part of the setup process PASS will work closely with the customer to identify the specific screening and vetting processes in use by the customer. This normally takes the form of a project kick-off meeting. The system is then configured to mimic the customer processes. Following this a period of user testing is undertaken to ensure the processes in the system are fit for purpose. Once signed off by the customer the system is promoted to a live status. Full training is provided on how to configure and maintain the system and reflect any process changes. End user training is also given in how to run the system. A full set of user and administrator documentation is provided.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Upon termination, PASS is committed to working with the customer to provide complete extract of all data and related documents in a variety of formats.

The data will be provided either over secure transfer or encrypted physical media.
End-of-contract process When termination notice is served a termination date is agreed with the customer in line with the contractual termination period. On that date all access is revoked and a full data extraction is initiated. Once completed, the data extract is provided to the customer in the agreed format. The data extraction is included in the contract price.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The application is a responsive design using a Mobile-First philosophy. Within the solution there are different interfaces and user journeys for the vetting officer, hiring managers and candidates.
Service interface No
What users can and can't do using the API Initial creation of candidate for vetting. Updates of status of vetting process. Return full results and additional documents used in vetting process.

API does not allow changes to system configuration.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customisation and configuration is accessible from within the system, providing the user has the correct access permissions. Items that can be customised from within the system are:
• Security levels
• Access permissions
• Users
• Business units / Divisions / Groups
• Clients
• Reference Types
• Data Check types
• Workflows
• Gap management
• Automatic chases
• Email templates
• Report templates
• Automatic report creation
• Turnaround Times
• Expiry Management and reminders
• Supplied documents
• Requested documents
• Candidate questions
• Referee questions
• Address constraints
• Employment history constraints
• Educational history constraints
• Mandatory / Optional questions
• Consent
• Anonymisation rules and process

Our implementation team can also fully white-label the solution so that Brands, Logo and Colours can be adjusted to suit.

Additionally, extra services and features can be added on request and at additional cost.


Independence of resources The standard solution uses a multi-tenanted data server environment with dedicated application servers and document repository. Separation between customers is achieved by provided dedicated databases with individual user credentials.

If required, a fully dedicated infrastructure can be provided.


Service usage metrics Yes
Metrics types Customer can review service usage in the system via real-time dashboards, dashboard reporting and MI reports on demand. These show a variety of information to allow the customer to review operational effectiveness, problematic areas and system/user performance.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Azure Encryption enabled.
SQL Server Transparent Data Encryption (TDE) enabled.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach • Individual candidates available via PDF/Encrypted PDF reports.
• Individual candidates available via API.
• On demand reports can be exported to RPT, PDF, XLS, DOC, RTF
• Data export capability as part of off-boarding
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • RPT
  • XLS
  • RTF
  • JSON (via API)
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON (Via API)
  • PDF (via applicant portal)
  • DOC (via applicant portal)
  • DOCX (via applicant portal)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks IP Address Whitelisting
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Microsoft Azure security groups define permitted intra-server connections

All servers protected with firewall and IP whitelisting from other internal addresses.

Availability and resilience

Availability and resilience
Guaranteed availability Warrantor is hosted on Microsoft Azure infrastructure which offers 99.95% availability for VM infrastructure and 99.999% for database. This excludes planned / agreed and emergency maintenance periods.
Approach to resilience Daily database backups retained for 15 days.
Daily VM backups retained for 15 days.
Entire solutions replicated in second UK region providing individual resource and total infrastructure fail-over capability.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels User Role / Permission system with the solution.

Data segmentation with customer accounts.

Limited members of staff have access to production platforms on a least-possible access basis.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR
ISO/IEC 27001 accreditation date 22/06/2018
What the ISO/IEC 27001 doesn’t cover Nothing is excluded
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials (annually renewed)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes All controls included with the ISO27001:2013 standard. Statement of Applicability (SOA) available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All change management in line with Secure Development Policy and ISO 27001. Use of ticketing system, automated testing, staged releases, UAT environments.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Regular penetration testing by a CREST certified expert.

Servers have automated security updates in place.

Audit logs retained and examined as needed with regular alerts for key triggers.

Microsoft Security Centre in use to provide real-time threat analysis.

All physical infrastructure managed by Microsoft.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Real-time monitoring and alerting enabled on all infrastructure resources.

Audit and activity logs retained to support monitoring, incident identification, response and investigative activities.
Incident management type Supplier-defined controls
Incident management approach Incident management process in line with ISO/IEC 27001.

Staff are encouraged to report all incidents via a generic internal security email account that is monitored by the CTO.

Incident reports provided to affected parties both during and after closure of an incident.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £175 to £175 per user per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑