VERIFILE LIMITED

Employment Screening, Disclosure & Barring Service DBS Checks and BPSS Baseline Vetting

Employment screening, BPSS (Baseline) vetting and DBS / CRB services. Verifile's secure vetting platform enables employers to select global background check services. Direct integration with Disclosure and Barring Service ensure the fastest turnaround for UK criminal record checks. Authenticating all data sources for staff vetting detects fake references and qualifications.

Features

  • RANGE OF QUICK CHECKS SUPPORTING EMPLOYERS WITH VETTING DURING PANDEMIC
  • Queen's Award-winning cloud-based background screening and BPSS vetting
  • Full range of DBS checks and global background screening services
  • Accessibility upgrade - WCAG2.1, ADA (Section 508) and EN301549 compliant
  • Loaded with validation tools to ensure accuracy/minimise user errors
  • Fast flexible set-up, with integrated criminal record checks
  • Dedicated Client and Candidate Support Teams for all vetting services
  • 100% UK-based operation and data storage
  • All data sources and vetting subjects fully researched and authenticated
  • Online MI reports and analytics for DBS and BPSS services

Benefits

  • Fastest DBS vetting turnaround times due to lowest error rate
  • 50% of Basic DBS (CRB) results received within 24 hours
  • Place orders, track progress and view staff vetting results online
  • Integrate with your ATS or HR system for increased efficiencies
  • Stay up-to-date with customisable email notifications/status updates
  • Personalised candidate messaging, your account branded with your logo
  • Reducing risk with GDPR-compliant and compliant criminal record checking service
  • Robust BPSS (Baseline) screening reports enable informed recruitment decisions
  • 20 languages spoken in-house ensures extensive global reach
  • Direct Disclosure and Barring Service integration ensures fastest possible results

Pricing

£3.00 per transaction

  • Education pricing available

Service documents

Framework

G-Cloud 11

Service ID

5 6 1 3 9 3 4 8 0 3 9 4 1 3 8

Contact

VERIFILE LIMITED

Tom Bell-Green

+44 (0) 1234 608090

sales@verifile.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
  • Community cloud
  • Hybrid cloud
Service constraints
No
System requirements
N/A

User support

Email or online ticketing support
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
No
Support levels
We provide three levels of support for all clients.

Each client has a dedicated Account Manager, as well as access to our dedicated Client and Candidate Support Teams for day-to-day enquiries and requests.

Free out-of-hours service - calls will be taken by a human 24/7 Telephone Answering Service, with messages being forwarded to the appropriate team or individual to respond to the next working day.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We recommend that Verifile deliver training on the screening process before going live to all staff that will have interaction with Verifile.

Verifile’s system is intuitive and easy to master, particularly from the client facing perspective.

Depending on the number of users requiring training, initial training can typically be delivered on-site as part of the implementation process, however any subsequent user training or refresher sessions would typically be delivered by web meetings.

As a direct result of a suggestion from a long-standing client, we have also released a ‘canned training’ video specifically to help new client users when joining the team.

User guides are also provided for reference purposes.
Service documentation
Yes
Documentation formats
  • PDF
  • Other
Other documentation formats
Data for Integration Purposes
End-of-contract data extraction
We can provide copies of final reports in the existing pdf format and on other media requested, as long as this meets with legal and our own business obligations to ensure the security of data.

These reports can be downloaded directly from our platform at any time or transferred via other means such as SFTP. File notes, full audit history, original reference copies and all other information held on the Verifile system can be provided as raw data.

Part of the leaving process will be to create an information asset register so all data held by Verifile is identified and a decision made on retention, transfer or disposal. We will need to retain a certain amount of ‘skeleton data’ in order to fulfil its legal and auditing obligations but none will include personal identifiable information about your candidates.

Once the demobilisation plan has been executed, we will provide written confirmation to that effect.
End-of-contract process
Demobilisation Plan - All data held on our system, including pdf final reports, can be provided to you. A secure method of transfer would need to be utilised due to the personal information held and the volume of data. As long as we continue to receive orders from you we will continue to fulfil them in line with the agreed packages and SLA. All clients’ orders experience the same high level of service, irrespective of whether any particular client has expressed their intention to transition away from Verifile.

Technical support will be available to assist with the transfer of data and any other needs that may be identified in transition planning discussions and we have a defined leaver’s process which would be executed jointly with yourselves. The process includes ensuring that all user accesses are closed, and decisions are made on the retention, transfer or deletion of data. We ask that leaving clients provide feedback on our service to help us continually review and refine our service.

We would also be open to working with new suppliers during transition and would provide any assistance required.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
Other
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
No
Service interface
No
API
Yes
What users can and can't do using the API
Users sign up to developer portal and receive a subscription key and user keys issued to them.

Checks available to be ordered are customisable, made by account manager

API Managements Microsoft azure authentication

API only allows users to create orders and view existing orders to monitor progress and receive results from multiple checks via the API.
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Users can't customise the way API works but can configure account

Scaling

Independence of resources
Local office systems are monitored for capacity with monthly reports produced by Aztech IT Solutions. Hosted systems are monitored by Rackspace and automated capacity threshold notification systems are in place. The Verifile Development Team reviews application, database, system and server logs each week along with checking and recording current server capacities on an internal record keeping system.

Analytics

Service usage metrics
Yes
Metrics types
TBC
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Via API, via MI reports, via downloads.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We aim for 99.9% availability and last year achieved 99.88%
Approach to resilience
Available on Request
Outage reporting
4-hour warning with count-down for planned outages. Communicate updates via email and extranet to clients.

Identity and authentication

User authentication needed
Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Access to production system is via unique accounts, there arent shared accounts. All access is logged, including to the hosted systems not via the application interface, and logs are reviewed weekly. Verifile have recently implemented Reblaze Web Application Firewall (WAF). The WAF continuously monitors traffic using a variety of methods including; threat blacklisting, bot identification algorithms, header, form, and field policy enforcement, HTTP error triggering, resource consumption thresholds, schema validation, content evaluation, minefields and honeypots, signatures, IP address allocation maps, TOR network mapping, progressive challenge mechanisms, argument limitations, RFC compliance, nested encoding detection, method filtering, payload inspection and behavioural analysis.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication
IP Whitelisting

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR
ISO/IEC 27001 accreditation date
24/01/2019
What the ISO/IEC 27001 doesn’t cover
N/A - This industry standard applies to all elements of the Verifile group.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials Plus
  • NSI Gold for Security Vetting

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We adhere to:

The Data Protection Act (1998)
Copyright, Designs and Patents Act (1988)
Computer Misuse Act (1990)
Regulation of Investigatory Powers Act (2000)
Human Rights Act (2000)

Further information is available upon request within our Data Security Policy Document.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
• Compliant with extant Verifile coding standards.

• Subject to a design review against the Open Web Application Security Project (OWASP) Top 10 most critical web application security risks.

• Follow Microsoft guidelines for ASP.NET Web App Security.

• Reviewed by another developer.

• Tested in accordance with the formal testing process.

The components are tracked through being outsourced to Rackspace and Aztech IT Solutions.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

All anti-virus and relevant security updates and service packs are applied as soon as they are released, evaluated and tested.

AV software is installed on the live production servers and managed by Rackspace.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

Alerting and monitoring is in place 24x7 for both the live application hosting environment and the local Verifile IT estate.

Verifile will work with you to agree a formal incident reporting and response plan including relevant points of contact.
Incident management type
Supplier-defined controls
Incident management approach
Verifile will alert the customer to incidents according to our Incident Management Policy.

It is the responsibility of the Information Security Manager to commission security investigations as deemed necessary by them.

As part of Verifile’s commitment to ISO27001 and ISO9001 certification, reporting of Information Security weaknesses is encouraged from all personnel and recorded under the ISO9001 system for Corrective and Preventive Action.

The reporting of Information Security weaknesses is encouraged from all personnel. All relevant incidents are recorded under the ISO 9001 system for Corrective and Preventive Action.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£3.00 per transaction
Discount for educational organisations
Yes
Free trial available
No

Service documents

Return to top ↑