Employment Screening, Disclosure & Barring Service DBS Checks and BPSS Baseline Vetting

Employment screening, BPSS (Baseline) vetting and DBS / CRB services. Verifile's secure vetting platform enables employers to select global background check services. Direct integration with Disclosure and Barring Service ensure the fastest turnaround for UK criminal record checks. Authenticating all data sources for staff vetting detects fake references and qualifications.


  • Queen's Award-winning cloud-based background screening and BPSS vetting
  • Full range of DBS checks and global background screening services
  • Accessibility upgrade - WCAG2.1, ADA (Section 508) and EN301549 compliant
  • Loaded with validation tools to ensure accuracy/minimise user errors
  • Fast flexible set-up, with integrated criminal record checks
  • Dedicated Client and Candidate Support Teams for all vetting services
  • 100% UK-based operation and data storage
  • All data sources and vetting subjects fully researched and authenticated
  • Online MI reports and analytics for DBS and BPSS services


  • Fastest DBS vetting turnaround times due to lowest error rate
  • 50% of Basic DBS (CRB) results received within 24 hours
  • Place orders, track progress and view staff vetting results online
  • Integrate with your ATS or HR system for increased efficiencies
  • Stay up-to-date with customisable email notifications/status updates
  • Personalised candidate messaging, your account branded with your logo
  • Reducing risk with GDPR-compliant and compliant criminal record checking service
  • Robust BPSS (Baseline) screening reports enable informed recruitment decisions
  • 20 languages spoken in-house ensures extensive global reach
  • Direct Disclosure and Barring Service integration ensures fastest possible results


£3.00 per transaction

  • Education pricing available

Service documents


G-Cloud 11

Service ID

5 6 1 3 9 3 4 8 0 3 9 4 1 3 8



Tom Bell-Green

+44 (0) 1234 608090

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Community cloud
  • Hybrid cloud
Service constraints No
System requirements N/A

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels We provide three levels of support for all clients.

Each client has a dedicated Account Manager, as well as access to our dedicated Client and Candidate Support Teams for day-to-day enquiries and requests.

Free out-of-hours service - calls will be taken by a human 24/7 Telephone Answering Service, with messages being forwarded to the appropriate team or individual to respond to the next working day.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We recommend that Verifile deliver training on the screening process before going live to all staff that will have interaction with Verifile.

Verifile’s system is intuitive and easy to master, particularly from the client facing perspective.

Depending on the number of users requiring training, initial training can typically be delivered on-site as part of the implementation process, however any subsequent user training or refresher sessions would typically be delivered by web meetings.

As a direct result of a suggestion from a long-standing client, we have also released a ‘canned training’ video specifically to help new client users when joining the team.

User guides are also provided for reference purposes.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats Data for Integration Purposes
End-of-contract data extraction We can provide copies of final reports in the existing pdf format and on other media requested, as long as this meets with legal and our own business obligations to ensure the security of data.

These reports can be downloaded directly from our platform at any time or transferred via other means such as SFTP. File notes, full audit history, original reference copies and all other information held on the Verifile system can be provided as raw data.

Part of the leaving process will be to create an information asset register so all data held by Verifile is identified and a decision made on retention, transfer or disposal. We will need to retain a certain amount of ‘skeleton data’ in order to fulfil its legal and auditing obligations but none will include personal identifiable information about your candidates.

Once the demobilisation plan has been executed, we will provide written confirmation to that effect.
End-of-contract process Demobilisation Plan - All data held on our system, including pdf final reports, can be provided to you. A secure method of transfer would need to be utilised due to the personal information held and the volume of data. As long as we continue to receive orders from you we will continue to fulfil them in line with the agreed packages and SLA. All clients’ orders experience the same high level of service, irrespective of whether any particular client has expressed their intention to transition away from Verifile.

Technical support will be available to assist with the transfer of data and any other needs that may be identified in transition planning discussions and we have a defined leaver’s process which would be executed jointly with yourselves. The process includes ensuring that all user accesses are closed, and decisions are made on the retention, transfer or deletion of data. We ask that leaving clients provide feedback on our service to help us continually review and refine our service.

We would also be open to working with new suppliers during transition and would provide any assistance required.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems Other
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No
Service interface No
What users can and can't do using the API Users sign up to developer portal and receive a subscription key and user keys issued to them.

Checks available to be ordered are customisable, made by account manager

API Managements Microsoft azure authentication

API only allows users to create orders and view existing orders to monitor progress and receive results from multiple checks via the API.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users can't customise the way API works but can configure account


Independence of resources Local office systems are monitored for capacity with monthly reports produced by Aztech IT Solutions. Hosted systems are monitored by Rackspace and automated capacity threshold notification systems are in place. The Verifile Development Team reviews application, database, system and server logs each week along with checking and recording current server capacities on an internal record keeping system.


Service usage metrics Yes
Metrics types TBC
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Via API, via MI reports, via downloads.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability We aim for 99.9% availability and last year achieved 99.88%
Approach to resilience Available on Request
Outage reporting 4-hour warning with count-down for planned outages. Communicate updates via email and extranet to clients.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Access to production system is via unique accounts, there arent shared accounts. All access is logged, including to the hosted systems not via the application interface, and logs are reviewed weekly. Verifile have recently implemented Reblaze Web Application Firewall (WAF). The WAF continuously monitors traffic using a variety of methods including; threat blacklisting, bot identification algorithms, header, form, and field policy enforcement, HTTP error triggering, resource consumption thresholds, schema validation, content evaluation, minefields and honeypots, signatures, IP address allocation maps, TOR network mapping, progressive challenge mechanisms, argument limitations, RFC compliance, nested encoding detection, method filtering, payload inspection and behavioural analysis.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication IP Whitelisting

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR
ISO/IEC 27001 accreditation date 24/01/2019
What the ISO/IEC 27001 doesn’t cover N/A - This industry standard applies to all elements of the Verifile group.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Plus
  • NSI Gold for Security Vetting

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials Plus
Information security policies and processes We adhere to:

The Data Protection Act (1998)
Copyright, Designs and Patents Act (1988)
Computer Misuse Act (1990)
Regulation of Investigatory Powers Act (2000)
Human Rights Act (2000)

Further information is available upon request within our Data Security Policy Document.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach • Compliant with extant Verifile coding standards.

• Subject to a design review against the Open Web Application Security Project (OWASP) Top 10 most critical web application security risks.

• Follow Microsoft guidelines for ASP.NET Web App Security.

• Reviewed by another developer.

• Tested in accordance with the formal testing process.

The components are tracked through being outsourced to Rackspace and Aztech IT Solutions.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

All anti-virus and relevant security updates and service packs are applied as soon as they are released, evaluated and tested.

AV software is installed on the live production servers and managed by Rackspace.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

The identification, testing and application of relevant patches for operating systems, firmware and application software packages excluding Verifile software applications are managed services by Rackspace and Aztech IT Solutions.

Alerting and monitoring is in place 24x7 for both the live application hosting environment and the local Verifile IT estate.

Verifile will work with you to agree a formal incident reporting and response plan including relevant points of contact.
Incident management type Supplier-defined controls
Incident management approach Verifile will alert the customer to incidents according to our Incident Management Policy.

It is the responsibility of the Information Security Manager to commission security investigations as deemed necessary by them.

As part of Verifile’s commitment to ISO27001 and ISO9001 certification, reporting of Information Security weaknesses is encouraged from all personnel and recorded under the ISO9001 system for Corrective and Preventive Action.

The reporting of Information Security weaknesses is encouraged from all personnel. All relevant incidents are recorded under the ISO 9001 system for Corrective and Preventive Action.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3.00 per transaction
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑