Civica UK Limited

Trac Recruitment System

The Trac recruitment system is an e-recruitment applicant tracking system (ATS) that has been designed to meet the needs of public sector organisations, particularly NHS and local government. The system links with ESR and eBulk (DBS). It covers advertising, selection (shortlisting, interviews), offer letters, employment checks and includes multiple workflows.


  • Flexible, optional, authorisation module
  • Vacancy advertising with links to external media
  • Application filtering, longlisting and shortlisting tools
  • Automated interview invite and booking system using email & texts
  • Conditional Offer letters built in and customisable
  • Identity check booking and recording system
  • Integrated eDBS system
  • Sophisticated reporting tools that link with organisational structures
  • Experienced trainers and support staff to ensure smooth deployment


  • Speeds up recruitment
  • Makes recruitment activity easier to track and report on
  • Popular with hiring manager, recruitment staff and applicants
  • Improves efficency of recruitment staff
  • Improves communications with hiring managers and applications
  • Provides a modern efficient gateway for potential staff
  • Integrates with other systems, particularly ESR, eDBS (eBulk) and


£1150 per licence per month

Service documents


G-Cloud 11

Service ID

8 0 4 1 3 2 3 0 6 8 5 7 1 2 2


Civica UK Limited

Civica UK Limited


Service scope

Software add-on or extension
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
System requirements
  • Chrome, Edge or IE browser with current vendor support
  • PDF document viewer
  • Sufficient RAM for the browser and any concurrent software applications

User support

Email or online ticketing support
Email or online ticketing
Support response times
Office is open 9am to 5pm Monday to Friday (excluding English Public Holidays. We aim to respond within 1/2 a working day during these times.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Trac Systems Ltd provides a free technical support (telephone and email) service for buyer's Super Users. This is open weekdays 09:00 to 17:00 (excluding English public holidays). The Trac Recruitment System has been designed to provide a fully functioning system, with many built in options available, that can be operated by a buyer with little support from Trac Sytems Ltd staff. Where additional support is required to carry out a task that can not be done by the buyer, for instance adding a new Super User, this is done for no additional cost. Trac Systems Ltd are also able to provide a paid for support service to carry out ad-hoc tasks that the buyer does not have the resources to carry out locally. For instance helping with Super User tasks when the buyer's Super Users are not available. Details of additional levels of support are in the Service Definition document.
Support available to third parties

Onboarding and offboarding

Getting started
Trac Systems Ltd has extensive experience of getting buyers up and running with the Trac Recruitment System. The start-up package, available as an optional extra for new buyers, includes: * An initial one day stakeholder/start-up meeting held at the buyer's premises * Setting up the buyer as a user organistion within the Trac Recruitment System, this includes: - adding a set of standard template emails and letters - adding up to eight buyer specific conditional or unconditional offer letters - creating a buyer sub-site for linking to the buyer's own web-site * A two day system review, process analysis and feature selection workshop held in Bakewell * Two day start-up training course for recruitment team staff on buyer's premises * Recruitment support service for four weeks * Two day handback training for recruitment team staff on buyer's premises * Two hour follow-up visit, 8-16 weeks after the handback training (review)
Service documentation
Documentation formats
End-of-contract data extraction
CSV downloads for bulk extraction of data and PDF document packs for the records of individual applicants.
End-of-contract process
Buyer's have full access to all their own application and vacancy data and this can be extracted in CSV files. If additional support or bespoke exports are required these can be provided at our normal Ad-hoc support rates. The easiest off-boarding path is to run both old and new systems for a period, managing the newly-added vacancies in the new system. This saves the effort and risk associated with attempting to migrate data from the Trac Recruitment System, into its replacement. For organisations selecting this option the Trac Recruitment System can be made available for a fixed period of time, for a "tail-off" period, at a gradually decreasing monthly fee that is based on the standard monthly fee payable. Note that during this "tail-off" period no new campaigns or applications can be added to the Trac Recruitment System but the buyer's staff will be able to continue accessing and working on those already in the System. Buyer's can give Trac Systems Ltd a "hard" cut-off date at which point all data held will be deleted. Exit plans can be produced on request by Trac Systems Ltd with time taken for this work being charged at our normal Ad-hoc support rates.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The interface used by candidates to make and manage job applications is designed to work with mobile devices. The nature of the work carried out by recruitment staff - involving large amounts of data with lots of functionality - presently requires a desktop browser.
Service interface
Customisation available
Description of customisation
The Trac Recruitment System has been designed to provide a fully functioning system, with many built in options available, that can be operated by a buyer with little support from the Trac Systems Ltd. Many options can be controlled by the client's Super Users and can be set-up so that different parts of the buyers organisation have their own customisations. Most settings are controlled from the buyer (employer) table, with other settings at the next level down for different parts of the organisation. Options include different application and reference forms, reporting targets, authorisation area settings, employment checks and many more. See the Service Definition document for more details.


Independence of resources
Computing load is monitored and resources scaled according to predicted demand.


Service usage metrics
Metrics types
The Trac Recruitment System has a clear and easy to use dashboard screen and in addition provides a broad set of template reports, details of which are in the Service Definition document.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can download their own personal data in PDF documents. Buyer's representatives can download data CSV and PDF formats.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
  • CSV
  • Other
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The service level agreement, that is included in the Civica service definition document, sets out what levels of availability and support the buyer is guaranteed to receive for the Trac Recruitment System. It also explains what service credits will be applied by Civica should it fail to meet these service levels.
Approach to resilience
All data is currently stored on hardware which is owned and managed by Trac Systems and is located in secure and resilient datacentres that operate dual power paths, at least N+1 generators, at least N+1 cooling and have multiple diverse network routes. The service itself is load balanced across multiple servers.
Outage reporting
Outages are reported to customers by email alert. Customers may also call the service helpdesk if they suspect there may be an outage and need assistance in diagnosing whether there is a problem within their own computer networks or elsewhere.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
By way of firewalling and access credentials.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
QMS International Plc
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The full service is covered, specifically: "The provision of online recruitment, selection and employment checking systems and associated support services, including interfacing with appropriate third parties".
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials Plus
  • ISO22301

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
In order to provide a wide range of services to public and private sector organisations, Civica maintains an active information security programme. This programme requires regular internal and external audit inspection of both physical and logical data protection structures. The policies and procedures are aligned to ISO 27001 and Cyber Essentials Plus certifications.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Changes to existing - and commissioning of new - information processing facilities are managed by way of written procedure which includes assessment of data security and privacy impact. Server management and software development functions are carried out in-house. Formal change control processes, including assessment of potential security impacts, are embodied into the workflow and tracked by project tracking software. Software revision control for the Trac application includes log of commits including descriptions and is tracked through project tracking software. DBS change control procedures are in place.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Civica subscribes to technical vulnerability alert services. Systems administrators monitor incoming notifications, assess their relevance and, once processed, mark them as such and if necessary a tracking ticket is opened to track the work and assigned the appropriate severity level and priority. Software configuration management and automated deployment software is used to manage the change. Vendor security releases are applied according to the nature of the patch. We have the capability to deploy a critical patch within hours of release. Important patches are applied within days and routine updates are applied with a month.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Civica operates an automated suite of protective monitoring tools including intrusion detection systems, data sanity checking, configuration compliance and hundreds of automated checks that constantly check the systems. All servers are tuned to generate log events as appropriate and send these in real time to a central log storage system and management console for analysis. Our monitoring systems run around the clock checking availability and running of all servers and services in detail. Alerts are handled by our systems administrators. We have 24-hour response for critical services, although the system architecture is designed to minimise single points of failure.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
All staff are trained and encouraged to report suspected or actual information security events or weaknesses by way of an Information Security Incident Reporting Policy . Customers can report via their usual support team contacts. Incidents are handled by senior staff in accordance with a process to ensure that relevant data is preserved, investigations carried out, reports made and follow-up actions taken. Trac does have many pre-defined processes for common events, but security incidents are not common events and each is handled carefully as appropriate. Reports are provided to data controllers by email.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£1150 per licence per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑