PASS Technology

Warrantor - Vetting and Screening Data Services

Warrantor Data Service is an optional add-on feature for the Warrantor Vetting and Screening solution. The service allows the core system to seamlessly link in multiple third party data sources to enrich the quality and reach of the vetting process, driving efficiency and compliance.

Features

  • Criminality Checks (Basic, Standard and Enhanced)
  • Credit History
  • Directorship Checks
  • PEP's
  • Sanctions
  • Adverse Media
  • Counter Terrorism

Benefits

  • Simple UI to submit complex checks
  • Fully integrated into Warrantor Vetting and Screening Solution
  • Applicant consent aware
  • GDPR Compliant
  • Efficiency gains providing rapid ROI
  • Eliminates re-keying and potential errors

Pricing

£0.50 to £50 per transaction

Service documents

Framework

G-Cloud 11

Service ID

8 2 0 3 9 9 8 4 9 5 1 1 1 9 9

Contact

PASS Technology

Gareth Downing

+44(0) 3301 132 361

gad@passtechnology.com

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to Warrantor - Vetting and Screening Solution
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints Planned maintenance can occur 6pm-8am Mon-Fri, 8am-5pm Sat/Sun.

Any downtime is arranged in advance with clients at a mutually agreeable date and time slot.
System requirements
  • WEB browser (with security updates)
  • Internet Access

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Dependent upon priority. Standard SLAs are as follows:

P1 - Customer operations are significantly affected - Response: Hourly updates, Resolution:Emergency service pack or workaround

P2 - A minor function of the solution is inoperable - Response: 1 Day, Resolution:Next planned service pack

P3 - A problem is detected that has minimal impact on daily operations - Response: 2 business days, Resolution : Next planned release

P4 - A cosmetic issue - Response 5 business days, Resolution: Next user group review
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support Team – Ticketing System / Phone Support
Implementation Consultant – Initial setup and training
Account Manager – Quarterly business reviews, face to face meetings, first point of call
Service Delivery Manager – Monthly service reviews
Technical project manager – as required

Escalation points
Service Desk -> Service Delivery Manager
Service Delivery Manger -> CTO
CTO -> CEO
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started As part of the setup process PASS will work closely with the customer to identify the specific screening and vetting processes in use by the customer. This normally takes the form of a project kick-off meeting. The system is then configured to mimic the customer processes. Following this a period of user testing is undertaken to ensure the processes in the system are fit for purpose. Once signed off by the customer the system is promoted to a live status. Full training is provided on how to configure and maintain the system and reflect any process changes. End user training is also given in how to run the system. A full set of user and administrator documentation is provided.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Upon termination, PASS is committed to working with the customer to provide complete extract of all data and related documents in a variety of formats.

The data will be provided either over secure transfer or encrypted physical media.
End-of-contract process When termination notice is served a termination date is agreed with the customer in line with the contractual termination period. On that date all access is revoked and a full data extraction is initiated. Once completed, the data extract is provided to the customer in the agreed format. The data extraction is included in the contract price.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The application is a responsive design using a Mobile-First philosophy. Within the solution there are different interfaces and user journeys for the vetting officer, hiring managers and candidates.
Service interface No
API Yes
What users can and can't do using the API Initial creation of candidate for vetting. Updates of status of vetting process. Return full results and additional documents used in vetting process.

API does not allow changes to system configuration.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available No

Scaling

Scaling
Independence of resources Each customer of the data services has their own account and credentials. All submissions to the data service are recorded against that customer record. Logic in the database prevents any data from incorrect customers being returned to the Warrantor Vetting and Screening Solution.

If required, a fully dedicated infrastructure can be provided.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach Azure Encryption enabled.
SQL Server Transparent Data Encryption (TDE) enabled.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach • Individual candidates available via PDF/Encrypted PDF reports.
• Individual candidates available via API.
• On demand reports can be exported to RPT, PDF, XLS, DOC, RTF
• Data export capability as part of off-boarding
Data export formats Other
Other data export formats JSON (via API)
Data import formats Other
Other data import formats JSON (Via API)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks IP Address Whitelisting
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Microsoft Azure security groups define permitted intra-server connections

All servers protected with firewall and IP whitelisting from other internal addresses.

Availability and resilience

Availability and resilience
Guaranteed availability Warrantor Data Services is hosted on Microsoft Azure infrastructure which offers 99.95% availability for VM infrastructure and 99.999% for SQl Azure database.

This excludes planned / agreed and emergency maintenance periods.
Approach to resilience Daily database backups retained for 15 days.
Daily VM backups retained for 15 days.
Entire solutions replicated in second UK region providing individual resource and total infrastructure fail-over capability.
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels User Role / Permission system with the solution.

Data segmentation with customer accounts.

Limited members of staff have access to production platforms on a least-possible access basis.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR
ISO/IEC 27001 accreditation date 22/06/2018
What the ISO/IEC 27001 doesn’t cover Nothing is excluded
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials (annually renewed)

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes All controls included with the ISO27001:2013 standard. Statement of Applicability (SOA) available on request.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All change management in line with Secure Development Policy and ISO 27001. Use of ticketing system, automated testing, staged releases, UAT environments.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Regular penetration testing by a CREST certified expert.

Servers have automated security updates in place.

Audit logs retained and examined as needed with regular alerts for key triggers.

Microsoft Security Centre in use to provide real-time threat analysis.

All physical infrastructure managed by Microsoft.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Real-time monitoring and alerting enabled on all infrastructure resources.

Audit and activity logs retained to support monitoring, incident identification, response and investigative activities.
Incident management type Supplier-defined controls
Incident management approach Incident management process in line with ISO/IEC 27001.

Staff are encouraged to report all incidents via a generic internal security email account that is monitored by the CTO.

Incident reports provided to affected parties both during and after closure of an incident.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.50 to £50 per transaction
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑