DUE DILIGENCE CHECKING LIMITED

Disclosure and Barring Service Checks (DBS), BPSS and Pre-employment Screening

Due Diligence Checking (DDC) is a specialist DBS, BPSS and pre-employment screening provider, supporting over 24,000 organisations. Utilising award-winning technology, DDC streamlines the screening process, reducing the resource needed by your team, and saving valuable time. DDC provides an all-in-one solution for your DBS, reference checks, qualification checks, and more.

Features

• Manage all your pre-employment checks with a single interface
• Knowledgeable Customer Service Team
• Real-time reporting, downloadable excel file with advanced filtering
• Online portal, smart application forms; built-in error checking facilities
• User access management; tiered user access, unlimited users
• DBS and Right to Work compliant Digital Identity Checking Tool
• Tailorable notification system with central oversight
• Variable payment options available, including pay as you go
• Compliant screening packages with downloadable final reports
• Scalable design to suit central management and local processes

Benefits

• Quick and free set-up, established implementation plan
• Over 20 years of knowledge and experience
• Single management interface to request multiple services
• Efficient and flexible process to accommodate your requirements
• 24/7 Easy to use online system, full error checking facilities
• Minimal input to initiate checks, API options available
• Ensures GDPR and data protection compliance
• Save time and resource, no more chasing referees
• Quick electronic results, downloadable from the online platform
• Secure, reliable and professional service, ISO27001 and ISO9001 certified

£5.00 a unit

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

375886436169411

Contact

Jake Waddingham
0116 260 3055
jakew@ddc.uk.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Basic criminal record checks and pre-employment reports can be requested by any organisation. Certain criminal record checks are subject to eligibility requirements and specific consents.
• System requirements: User(s) require an internet enabled device.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Emails are responded to within 4 - 8 working hours Monday - Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Advice and support is provided to all clients at no additional cost. Core to the provision of the service is the Customer Service Team which is available to deal with all enquiries, questions and help process all applications as quickly and effortlessly as possible. Key customers with complex structures receive support from a dedicated account manager.; ; The majority of technical queries can be dealt with by the Customer Service Team and/or account management team. Clients also receive access to a technical support team for more complex matters.; ; All applicants are encouraged to contact the DDC Customer Service Team, as a fully supported service, to save clients time and resource for dealing with such queries.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Getting started with DDC is free, quick and simple. DDC work with many organisations to offer a premium service, including training at no extra cost. The Customer Service Team take pride in supporting all levels of users, irrespective of previous experience with online systems. DDC will support all users in the transition to the new service in an understanding and professional manner, to minimise disruption. The Customer Service Team is available to answer any queries, concerns or offer guidance on using the system. Clients are provided with support to ensure the system is set-up to match requirements making any transition simple and efficient.; ; New users are provided with a phone call/webinar to introduce DDC and to provide a demonstration of the system. This is provided to all new users added to the system throughout the life of the contact. A quick start guide is available to all users, to help with the processing of pre-employment checks.; ; DDC help clients transfer existing records from previous providers ensuring all data is kept secure.; Onsite training can be provided as part of the implementation. The training is tailored to the requirements of the client and any specific internal procedures in place.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All data can be extracted from the system by the client using the online system reporting features. The data is emailed to the user accessing the system in a CSV format.
• End-of-contract process: There are no additional costs at the end of the contract. DDC will work with the client to ensure a secure transfer of all data. If any checks are outstanding, DDC will ensure their completion. Once all checks are completed the accounts will be closed and user access removed. System wide users can maintain access post contract, if requested. DDC are happy to work with any new suppliers during the transition. Data is deleted in line with DDC's data retention policies published in the privacy policy, however clients can request full deletion or anonymisation of data as per their own policies.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The online platform is scalable in design to accommodate smaller screen sizes such as mobiles and tablets. Functionality remains the same for both mobile and desktop services.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service interface is accessible from any internet enabled device to allow applicants, users and third-parties to process DBS and pre-employment screening checks. The service interface is built on a two-click principle allowing clients to initiate a range of pre-employment checks, manage their applications and receive results. Management Information reports are available through the interface and can be downloaded for further analysis. Users are provided with varying levels of access rights to the service interface depending on their role in the process.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Internal testing to this standard has been completed. No formal testing outside of the organisation has been completed.
• API: Yes
• What users can and can't do using the API: DDC’s API service allows clients to:; ; • Initiate applications and check types; • Receive status updates; received, in progress and complete.; • Receive results; • Withdraw applications; ; Secure connection to this API is controlled using Bearer Authentication with JSON Web Tokens. Access is provided to a sandbox environment for testing during the implementation. All data is validated prior to entering the DDC system to meet strict acceptance criteria, with detailed error messages in place to highlight non-valid data. Data is tracked using applicant specific numbers used by the client, and placed into specific accounts using location codes if multiple accounts/locations are in use. Each user or account can review the progress with applications and obtain status updates directly from the DDC system with a personal username and password.; Full implementation meetings allow alignment of requirements. Bespoke features may be available on request.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Aspects of the online service can be customised to meet the customer's requirements. Customisable aspects include:; ; •Multiple accounts to accommodate the organisation's structure or network of sites. Each account can have bespoke system settings to match local processes whilst meeting central management requirements. Accounts can be grouped to accommodate regions, departments or areas of the business. ; ; •User access levels can be determined to reduce or increase the level of access an individual has, to match their role in the process, including notifications.; ; •The application process is customisable to match client requirements including internal or external ID checking and user or applicant data entry.; ; •Flexible payment options allow invoices to be grouped or split across departments or operational areas with the option of allowing applicants to pay online via credit/debit card.; ; •Product packages are bespoke allowing the client to set the required check types and amend the individual elements of each check. For example, how many years of employment history is required, the questions asked of the referee and the level or type of DBS check required.; ; •Applicant reminders and re-check notifications can be tailored to client requirements. This includes the frequency and type of reminders e.g. calls, SMS and emails.

Scaling

• Independence of resources: The system is under constant monitoring with thresholds set with Third party software, which triggers an alert to the Company Directors and Web Development Team if exceeded. This allows for the pro-active detection of load on the servers, and plans for increasing power. The current infrastructure has been specified to handle double the current requirements, and was recently upgraded due to reaching 75% capacity on the previous hardware. This platform has been ‘stress tested’ to handle approximately 300% more applications per annum than the current activity levels.

Analytics

• Service usage metrics: Yes
• Metrics types: The system has a range of reporting and metrics built in and readily available to users using live data. Additional statistics and metrics are made available on a regular basis via an account manager.; Metrics include but are not limited to:; • Number of applications; • Breakdown of check types; • Application status; • Timeframes for process completion; • Timeframes for process steps; • DDC response and processing times; • Service uptime; • Customer satisfaction; • User access data; Bespoke reports and metrics are available and can be requested as required or issued on a scheduled basis.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data sets can be selected using advanced filtering and exported from within the system by active users. CSV file outputs are sent directly to the users registered email addresses for security. Data can be exported at the click of a button utilising live reports. The exporting of data is available on a range of reports from within the system and is dependent on user access rights. Bespoke data sets in specific formats can be made available for export following consultation.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Access to the online web application for all users and applicants is available 24 hours a day, 7 days a week and requires a web browser connected to the internet. The system is guaranteed to have a 99% availability up time. The average uptime for the past 36 months is 99.97%. ; ; DDC's servers are hosted in a Tier 3+ standard data centre with a 99.982% guaranteed availability.; ; DDC will agree an SLA with the client and measure performance against this. Should this SLA not be reached, steps will be taken to return to the agreed service level.
• Approach to resilience: The web-application and all personal data is hosted on high specification servers located in a secure Tier 3+ data centre as per the Telecommunications Infrastructure Standard (ANSI/TIA-942). The data centre guarantees a 99.982% availability. The organisation has been accredited to their own ISO27001 standard.; ; Servers are regularly tested and maintained to a very high standard to ensure security of data and best practice principles are followed. Operating System (OS) patching is carried out monthly, unless a critical vulnerability is announced. CentOS is used for the Virtual Machines (VMs), which has a conservative upgrade philosophy, for stability. Application security updates are applied as released. Servers are maintained with firewalls and IP restrictions. Further information is available on request.; ; DDC have in place and utilise a documented, secure Disaster Recovery process, which will be used for all client data to maintain resilience. This includes key features:; ; • Spare office location; • Clearly documented recovery procedures for all of the key IT infrastructure components. ; • High availability, periodical and incremental backups.; • Spare hardware to minimise any potential delays in recovery.; • Dedicated lease line connection from the DDC offices.; ; DDC’s Business Continuity and Disaster Recovery Plans can be made available on request.
• Outage reporting: As DDC operate a continuous integration software workflow, regular downtime is unnecessary. If downtime is required notifications are communicated through news channels to users with a minimum of 2 weeks notice. Email notifications can be activated as per user preference. During the downtime a failover page providing notice to the user is displayed. Any downtime due to maintenance is scheduled outside of core working hours and will not be between 8am and 8pm Monday to Friday.; ; In the event of system downtime due to unexpected incidents, DDC utilise a failover page hosted on Amazon Web Services (i.e. independent from the main system). This allows notices to be raised about known issues affecting any aspect of the service. This page is then linked to the DDC public site (www.ddc.uk.net) which will display a news article about the issue and the response times. The DDC management team will update this News Article to confirm the phases of the response as per the Disaster Recover and Business Continuity Planning (DR & BCP).

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Additional security challenge and response is required when any data is inputted into the system or restricted areas are accessed.
• Access restrictions in management interfaces and support channels: User access is restricted through a hierarchy system ensuring that users only access data they are authorised to view. Access levels reflect the user’s role within the pre-employment checking process. This ensures that the user can perform all necessary tasks whilst maintaining the highest level of data security.; ; Users are granted access through an agreed channel and authorisation process. Each user has unique credentials to access the system, with logging of all actions completed to ensure a full audit trail is available. Authorised users can access a user report which highlights the level of access granted.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Username or password
  • Other
• Description of management access authentication: Additional security challenge and response is required when restricted areas of the system/service are accessed or greater authentication is required.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 09/08/2021
• What the ISO/IEC 27001 doesn’t cover: A.13.1.3 Segregation in networks is excluded. DDC only operate one network domain. ; A.14.2.7 Outsourced development. All DDC software is developed in house.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Sysnet
• PCI DSS accreditation date: 01/06/2021
• What the PCI DSS doesn’t cover: DDC are fully PCI DSS compliant
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO27001:2015
  • ISO9001:2018

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: DDC have ISO27001 Information Security Management Standard accreditation, which applies to all areas of the business. As part of the requirements, the business utilises a detailed wiki on the Core Policies of the business, together with specific Information Security policies and processes. This is regularly audited by a dedicated Information Security Manager, and supported by a working QA and ISO Team. This team also ensure that all new DDC team members have undertaken the relevant training to their role within the business. All staff undergo annual information security and data protection training. ; ; Included in the Information Security Management Standard (ISMS) is an extensive policy and process regarding business continuity planning (BCP) and disaster recovery (DR). ISO27001 is a requirement of e-bulk and the organisation incorporates data security considerations into all systems and processes. These policies and processes detail both the procedures and the physical systems which ensures the organisation provides a resilient and robust system. Policies and procedures are reviewed twice per year, at a specifically convened Information Security Management Systems (ISMS) meeting. As part of this meeting the team cover disaster emulation to pro-actively test the processes and policies in place to ensure they are fit for purpose.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The Management and Development Team use a formal change control questionnaire for all large developments, as part of a larger project plan. This includes key questions about the business processes affected and a specific section about data security considerations. This six-stage project plan includes, kick off, design & planning, development, testing, deployment, monitoring and review & sign-off stages. The project management template ensures security considerations are evaluated and assessed at every stage of development. Any significant changes affecting clients are communicated through account managers or the Client Area News Feed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: DDC utilise a detailed risk analysis process which systematically details the hardware/ systems assets in place to generate a risk score. ; Each of the risks is evaluated and given a 'risk score' which must then be reviewed and accepted by the management team. As part of the ongoing investment in the system and ISO27001 accreditation these risks are evaluated each month, to assess if there are other technical solutions that can reduce the risk further.; ; Critical patches are applied 24 hours after release, security patches are applied weekly after ISMS approval.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Vulnerability scans are run monthly as part of the PCI compliance system. Ad-hoc scans are run as required during the month, where any system updates are conducted. Annual Penetration tests are run with a certificate of conformity issued. Any ‘areas for concern’ are emailed to company Directors with corresponding ISMS tasks generated. Critical issues are addressed immediately, high are addressed within 1 month, medium within 3 months and low within 6 months.
• Incident management type: Supplier-defined controls
• Incident management approach: DDC utilise software (Jira) for the reporting and logging of incidents. Tasks are prioritised depending on the severity of the incident and allocated to the relevant department owner. Critical tasks are addressed immediately to reduce potential loss of availability and data exposure.; ; Depending on the nature of the event clients must first report the issue directly the Customer Service Team with specific details required to allow the emulation of the issue. Once replication has been achieved a work ticket is created as a defined ‘non-conformity’ ticket type, with a corresponding development ticket.; ; Clients are informed on resolution where necessary.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  DDC recognise the need to be mindful of our environmental impact as a national organisation. Through our environmental policy, DDC set objectives to minimise the organization’s carbon footprint by ensuring processes are as efficient as possible. DDC’s management ensure that an environmentally friendly culture is shared across all employees by providing the means for all staff to contribute to a sustainable service. This core policy is included in everything we do from the sourcing of materials to dealing with waste generated by the company.
• Equal opportunity:

  Equal opportunity

  DDC is committed to equality of opportunity both in the provision of services and as an employer. The Board of Directors promote equality and diversity and a culture that actively values differences, and recognises people from different backgrounds and with different experiences. All team members are provided with equality and diversity training which is refreshed annually.
• Wellbeing:

  Wellbeing

  The Directors realise that to deliver consistent quality, excellence needs to be set as the minimum standard in everything the business does. This starts with how the company treats employees, and translates into how the team treats clients, applicants and those organisations that we interact with. The company values all clients, applicants and users of the service and has detailed polices to make our actions as transparent as possible, and fair to all involved. The entire team are encouraged to come forward with ideas and suggestions to make our working environment fairer for everyone. This includes all aspects of health and wellbeing of the team.; ; The business is a Living Wage supporter and pays all fully trained staff members the Living Wage as defined by the Living Wage Foundation. The Management Team are also working towards a formal accreditation from the Living Wage Foundation to demonstrate this commitment to clients and applicants. This project is a long term aim of the Directors and is seen as a core part of the Social Value and the Quality Commitment improvements required by the business.

Pricing

• Price: £5.00 a unit
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Full access is provided during the trial period. No specific time period is applied. All checks added to the system will be paid for in full. If the client decides not to go ahead, those applications already initiated will be completed.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jakew@ddc.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.