Warrantor - Vetting and Screening Data Services
Warrantor Data Service is an optional add-on feature for the Warrantor Vetting and Screening solution. The service allows the core system to seamlessly link in multiple third party data sources to enrich the quality and reach of the vetting process, driving efficiency and compliance.
- Criminality Checks (Basic, Standard and Enhanced)
- Credit History
- Directorship Checks
- Adverse Media
- Counter Terrorism
- Simple UI to submit complex checks
- Fully integrated into Warrantor Vetting and Screening Solution
- Applicant consent aware
- GDPR Compliant
- Efficiency gains providing rapid ROI
- Eliminates re-keying and potential errors
£0.50 to £50 per transaction
8 2 0 3 9 9 8 4 9 5 1 1 1 9 9
+44(0) 3301 132 361
|Software add-on or extension||Yes|
|What software services is the service an extension to||Warrantor - Vetting and Screening Solution|
|Cloud deployment model||
Planned maintenance can occur 6pm-8am Mon-Fri, 8am-5pm Sat/Sun.
Any downtime is arranged in advance with clients at a mutually agreeable date and time slot.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Dependent upon priority. Standard SLAs are as follows:
P1 - Customer operations are significantly affected - Response: Hourly updates, Resolution:Emergency service pack or workaround
P2 - A minor function of the solution is inoperable - Response: 1 Day, Resolution:Next planned service pack
P3 - A problem is detected that has minimal impact on daily operations - Response: 2 business days, Resolution : Next planned release
P4 - A cosmetic issue - Response 5 business days, Resolution: Next user group review
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Support Team – Ticketing System / Phone Support
Implementation Consultant – Initial setup and training
Account Manager – Quarterly business reviews, face to face meetings, first point of call
Service Delivery Manager – Monthly service reviews
Technical project manager – as required
Service Desk -> Service Delivery Manager
Service Delivery Manger -> CTO
CTO -> CEO
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||As part of the setup process PASS will work closely with the customer to identify the specific screening and vetting processes in use by the customer. This normally takes the form of a project kick-off meeting. The system is then configured to mimic the customer processes. Following this a period of user testing is undertaken to ensure the processes in the system are fit for purpose. Once signed off by the customer the system is promoted to a live status. Full training is provided on how to configure and maintain the system and reflect any process changes. End user training is also given in how to run the system. A full set of user and administrator documentation is provided.|
|End-of-contract data extraction||
Upon termination, PASS is committed to working with the customer to provide complete extract of all data and related documents in a variety of formats.
The data will be provided either over secure transfer or encrypted physical media.
|End-of-contract process||When termination notice is served a termination date is agreed with the customer in line with the contractual termination period. On that date all access is revoked and a full data extraction is initiated. Once completed, the data extract is provided to the customer in the agreed format. The data extraction is included in the contract price.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||The application is a responsive design using a Mobile-First philosophy. Within the solution there are different interfaces and user journeys for the vetting officer, hiring managers and candidates.|
|What users can and can't do using the API||
Initial creation of candidate for vetting. Updates of status of vetting process. Return full results and additional documents used in vetting process.
API does not allow changes to system configuration.
|API documentation formats|
|API sandbox or test environment||Yes|
|Independence of resources||
Each customer of the data services has their own account and credentials. All submissions to the data service are recorded against that customer record. Logic in the database prevents any data from incorrect customers being returned to the Warrantor Vetting and Screening Solution.
If required, a fully dedicated infrastructure can be provided.
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
Azure Encryption enabled.
SQL Server Transparent Data Encryption (TDE) enabled.
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
• Individual candidates available via PDF/Encrypted PDF reports.
• Individual candidates available via API.
• On demand reports can be exported to RPT, PDF, XLS, DOC, RTF
• Data export capability as part of off-boarding
|Data export formats||Other|
|Other data export formats||JSON (via API)|
|Data import formats||Other|
|Other data import formats||JSON (Via API)|
|Data protection between buyer and supplier networks||
|Other protection between networks||IP Address Whitelisting|
|Data protection within supplier network||
|Other protection within supplier network||
Microsoft Azure security groups define permitted intra-server connections
All servers protected with firewall and IP whitelisting from other internal addresses.
Availability and resilience
Warrantor Data Services is hosted on Microsoft Azure infrastructure which offers 99.95% availability for VM infrastructure and 99.999% for SQl Azure database.
This excludes planned / agreed and emergency maintenance periods.
|Approach to resilience||
Daily database backups retained for 15 days.
Daily VM backups retained for 15 days.
Entire solutions replicated in second UK region providing individual resource and total infrastructure fail-over capability.
|Outage reporting||Email alerts|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
User Role / Permission system with the solution.
Data segmentation with customer accounts.
Limited members of staff have access to production platforms on a least-possible access basis.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR|
|ISO/IEC 27001 accreditation date||22/06/2018|
|What the ISO/IEC 27001 doesn’t cover||Nothing is excluded|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials (annually renewed)|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Cyber Essentials|
|Information security policies and processes||All controls included with the ISO27001:2013 standard. Statement of Applicability (SOA) available on request.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All change management in line with Secure Development Policy and ISO 27001. Use of ticketing system, automated testing, staged releases, UAT environments.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Regular penetration testing by a CREST certified expert.
Servers have automated security updates in place.
Audit logs retained and examined as needed with regular alerts for key triggers.
Microsoft Security Centre in use to provide real-time threat analysis.
All physical infrastructure managed by Microsoft.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Real-time monitoring and alerting enabled on all infrastructure resources.
Audit and activity logs retained to support monitoring, incident identification, response and investigative activities.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Incident management process in line with ISO/IEC 27001.
Staff are encouraged to report all incidents via a generic internal security email account that is monitored by the CTO.
Incident reports provided to affected parties both during and after closure of an incident.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.50 to £50 per transaction|
|Discount for educational organisations||No|
|Free trial available||No|