Warrantor - Vetting and Screening Solution
PASS Warrantor is a full-service background checking solution for Government, Defence, public sector organisations and police forces. Our fully customisable software gives you the ability to retain control and visibility of your background checking process in-house whilst our cutting edge technology helps to drive efficiencies in your process.
- Manages screening workflow for clearances
- GDPR Compliant
- Customisable workflows
- Customisable interface
- Customisable templates
- After care checks managed within system
- Dynamic applicant portal to ensure only minimum data is gathered
- Full audit trails and reporting
- Biometric identity verification
- Machine learning built in
- Gain full control over vetting processes and workflows
- Achieve high levels of compliance
- Cost reduction and improved ROI
- Automatic validation of incoming data removes error
- TODO lists and workbenches focus user activity
- Online candidate portal removes back-office admin
- Can be accessed from any location or device
- Integration of ATS systems means less re-keying
- Provides comprehensive reporting and analysis
- Enables multi-force collaboration
£175 to £175 per user per month
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
+44(0) 3301 132 361
|Software add-on or extension||No|
|Cloud deployment model||
Planned maintenance can occur 6pm-8am Mon-Fri, 8am-5pm Sat/Sun.
Any downtime is arranged in advance with clients at a mutually agreeable date and time slot.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Dependent upon priority. Standard SLAs are as follows:
P1 - Customer operations are significantly affected - Response: Hourly updates, Resolution:Emergency service pack or workaround
P2 - A minor function of the solution is inoperable - Response: 1 Day, Resolution:Next planned service pack
P3 - A problem is detected that has minimal impact on daily operations - Response: 2 business days, Resolution : Next planned release
P4 - A cosmetic issue - Response 5 business days, Resolution: Next user group review
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Support Team – Ticketing System / Phone Support
Implementation Consultant – Initial setup and training
Account Manager – Quarterly business reviews, face to face meetings, first point of call
Service Delivery Manager – Monthly service reviews
Technical project manager – as required
Service Desk -> Service Delivery Manager
Service Delivery Manger -> CTO
CTO -> CEO
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||As part of the setup process PASS will work closely with the customer to identify the specific screening and vetting processes in use by the customer. This normally takes the form of a project kick-off meeting. The system is then configured to mimic the customer processes. Following this a period of user testing is undertaken to ensure the processes in the system are fit for purpose. Once signed off by the customer the system is promoted to a live status. Full training is provided on how to configure and maintain the system and reflect any process changes. End user training is also given in how to run the system. A full set of user and administrator documentation is provided.|
|End-of-contract data extraction||
Upon termination, PASS is committed to working with the customer to provide complete extract of all data and related documents in a variety of formats.
The data will be provided either over secure transfer or encrypted physical media.
|End-of-contract process||When termination notice is served a termination date is agreed with the customer in line with the contractual termination period. On that date all access is revoked and a full data extraction is initiated. Once completed, the data extract is provided to the customer in the agreed format. The data extraction is included in the contract price.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The application is a responsive design using a Mobile-First philosophy. Within the solution there are different interfaces and user journeys for the vetting officer, hiring managers and candidates.|
|What users can and can't do using the API||
Initial creation of candidate for vetting. Updates of status of vetting process. Return full results and additional documents used in vetting process.
API does not allow changes to system configuration.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Customisation and configuration is accessible from within the system, providing the user has the correct access permissions. Items that can be customised from within the system are:
• Security levels
• Access permissions
• Business units / Divisions / Groups
• Reference Types
• Data Check types
• Gap management
• Automatic chases
• Email templates
• Report templates
• Automatic report creation
• Turnaround Times
• Expiry Management and reminders
• Supplied documents
• Requested documents
• Candidate questions
• Referee questions
• Address constraints
• Employment history constraints
• Educational history constraints
• Mandatory / Optional questions
• Anonymisation rules and process
Our implementation team can also fully white-label the solution so that Brands, Logo and Colours can be adjusted to suit.
Additionally, extra services and features can be added on request and at additional cost.
|Independence of resources||
The standard solution uses a multi-tenanted data server environment with dedicated application servers and document repository. Separation between customers is achieved by provided dedicated databases with individual user credentials.
If required, a fully dedicated infrastructure can be provided.
|Service usage metrics||Yes|
|Metrics types||Customer can review service usage in the system via real-time dashboards, dashboard reporting and MI reports on demand. These show a variety of information to allow the customer to review operational effectiveness, problematic areas and system/user performance.|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
Azure Encryption enabled.
SQL Server Transparent Data Encryption (TDE) enabled.
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
• Individual candidates available via PDF/Encrypted PDF reports.
• Individual candidates available via API.
• On demand reports can be exported to RPT, PDF, XLS, DOC, RTF
• Data export capability as part of off-boarding
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||
|Other protection between networks||IP Address Whitelisting|
|Data protection within supplier network||
|Other protection within supplier network||
Microsoft Azure security groups define permitted intra-server connections
All servers protected with firewall and IP whitelisting from other internal addresses.
Availability and resilience
|Guaranteed availability||Warrantor is hosted on Microsoft Azure infrastructure which offers 99.95% availability for VM infrastructure and 99.999% for database. This excludes planned / agreed and emergency maintenance periods.|
|Approach to resilience||
Daily database backups retained for 15 days.
Daily VM backups retained for 15 days.
Entire solutions replicated in second UK region providing individual resource and total infrastructure fail-over capability.
|Outage reporting||Email alerts|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
User Role / Permission system with the solution.
Data segmentation with customer accounts.
Limited members of staff have access to production platforms on a least-possible access basis.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR|
|ISO/IEC 27001 accreditation date||22/06/2018|
|What the ISO/IEC 27001 doesn’t cover||Nothing is excluded|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials (annually renewed)|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Cyber Essentials|
|Information security policies and processes||All controls included with the ISO27001:2013 standard. Statement of Applicability (SOA) available on request.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All change management in line with Secure Development Policy and ISO 27001. Use of ticketing system, automated testing, staged releases, UAT environments.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Regular penetration testing by a CREST certified expert.
Servers have automated security updates in place.
Audit logs retained and examined as needed with regular alerts for key triggers.
Microsoft Security Centre in use to provide real-time threat analysis.
All physical infrastructure managed by Microsoft.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Real-time monitoring and alerting enabled on all infrastructure resources.
Audit and activity logs retained to support monitoring, incident identification, response and investigative activities.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Incident management process in line with ISO/IEC 27001.
Staff are encouraged to report all incidents via a generic internal security email account that is monitored by the CTO.
Incident reports provided to affected parties both during and after closure of an incident.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£175 to £175 per user per month|
|Discount for educational organisations||No|
|Free trial available||No|