Credentially

Employee Credentialing and Compliance Software

Onboarding and compliance management automation to reduce the effort and cost associated with onboarding and managing clinical staff. Improves patient safety and care quality through the active management of clinical compliance. Process automation releases admin time to care. Reduce time to onboard new clinical staff.

Features

• Automated staff onboarding
• Automated compliance management
• Enhanced onboarding experience for candidates
• Digital right to work checks
• Document upload, scanning and data extraction
• Digital Staff Passport Ready
• Manage practicing privileges
• Automated referencing
• Documents & Policy E-signatures
• Customised, flexible onboarding process

Benefits

• Frees HR resources that can be applied to patient care.
• Reduction in agency/bank spending through faster onboarding
• Comprehensive license and DBS checking leads to improved patient care
• Reduction in candidate dropouts related to onboarding delays
• Reduction in errors related to data entry issues
• Increase in the quality of referencing.
• Digital transformation of inefficient processes related to onboarding and compliance
• Improved quality of care through better compliance management
• Enables adoption of a standardised onboarding process
• CQC friendly exportable audit trail

£4.13 to £11.00 a user a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  ODT

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at colin.breavington@credentially.io. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

547873276921268

Contact

Colin Breavington
+44 (0) 203 514 7077
colin.breavington@credentially.io

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No constraints
• System requirements:
  • Modern Browser (i.e Chrome, Edge, Firefox, Safari etc)
  • Internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Less than 1 hour during business hours (Monday-Friday 09:00-17:00).
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Testing was carried out before deployment
• Onsite support: Yes, at extra cost
• Support levels: 1st Line: Most queries are handled and completed on a first call. ; 2nd Line: Escalated issues are handled by in-house developers.; ; The product provide is configured declaratively, no technical account manager is required. Our in-house developers do complete bug fixes and release patches to resolve technical issues.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Most user's do not require training. However virtual training is offered to those that require it. Online help guides are also available.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Customers are able to download any data and associated documents for the purposes of back up or to migrating to another a platform. Configuration can be stored or deleted as the customer prefers. Data will be deleted/retained to meet both the client’s and Credentially’s GDPR and other legal obligations. Access to data export is managed by licensing and permission settings
• End-of-contract process: If a customer cancels Credentially will organise an offboarding process with the customer. Typically this would include: ; ; - Data extraction; - Configuration documentation and export; - Deletion of customer organisation

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Every web page is responsive to mobile and tablets. It can adapted to any screen size. All features are available across all devices.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Our Credentially platform is a workflow tool to help organisations to onboard employees and provide ongoing regulatory staff compliance. ; ; The tool is employee focused to make it easy for them to complete compliance requirements. HR and compliance team, can easily review information and manage compliance you using a clear and intuitive interface.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Tests are completed before deployments to meet WCAG 2.1 AA standards, and to ensure compatibility with browser accessibility features.
• API: Yes
• What users can and can't do using the API: We provide a public REST API that enables integration with third party applications. Data can be retrieved from Credentially through the API and transactions can be initiated.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The Credentially platform has flexible components which can be configured declaratively. Our in-house Customer Success team can assist if required and provide advice on best practices.

Scaling

• Independence of resources: Credentially is hosted on AWS and its Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs).

Analytics

• Service usage metrics: Yes
• Metrics types: Customers have access to management reporting to view staff onboarding and compliance.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can extract their data from directly from the platform in csv format. Document are extracted in the format they will uploaded.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The Company will use commercially reasonable measures in terms of redundancy, monitoring and platform management to make the Service available via the Internet 99.95% of the time 24 hours a day 7 days a week during the Measurement Period, except during Planned Maintenance, and excluding unavailability caused by Out of Scope Issues (“Availability Service Level”). All Availability measurements shall be calculated by the Company. ; ; Status is available live via status.credentially.io
• Approach to resilience: The application has been tested internally attacks against OWASP lists and using multiple industry-standard WAF attack patterns and rules; ; Our supplier AWS:; AWS WAF helps protect applications and web service components against application- level attacks, using a customer-configurable ruleset. Request types, source IP addresses and other request properties may be configured as the criteria for blacklists or whitelists – which can even be updated automatically. More specialised requirements in this category may be met by a relevant product from the AWS Marketplace. For details on how to use this service, see AWS WAF.
• Outage reporting: Email alerts are generated for unplanned outages.; ; Planned Maintenance; The Company usually carries out planned maintenance in the maintenance windows set out below. If planned maintenance is to be performed outside of these windows the Company shall give the Customer at least 48 hours prior notice if there is any expected downtime.; ; Emergency Maintenance; The Company shall where possible, provide the Customer with prior notice of Emergency Maintenance. However, work may commence at any time and shall continue until completed. The Company shall attempt but cannot guarantee scheduling Emergency Maintenance during non-Business Hours.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Passwordless login or OAUTH2 Single Sign On:; -A user submits their email and the Credentially system checks to see if the email is tied to a valid user account. If found the platform sends an email to the submitted email address. So only the user who has access to the submitted email address can access Credentially.; - sent only once; - expires after 10 minutes; -Credentially does not collect or store passwords so they can never be compromised. Nor can a compromised password that is re-used by user across multiple platforms/sites be used to gain access ; ; 2FA via SMS
• Access restrictions in management interfaces and support channels: Data segregation between environments and minimal necessary access principle is in operation. ; ; Client user access is controlled via user license and permission provisioning.
• Access restriction testing frequency: At least once a year
• Management access authentication: Other
• Description of management access authentication: Passwordless login: -A user submits their email and the Credentially system checks to see if the email is tied to a valid user account. If found the platform sends an email to the submitted email address. So only the user who has access to the submitted email address can access Credentially. -The link sent can only be used once. -The link expires after 10 minutes. -Credentially does not collect or store passwords so they can never be compromised. Nor can a compromised password that is re-used by user across multiple platforms/sites be used to gain access to the Credentially platform.

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: PECB MS
• ISO/IEC 27001 accreditation date: 22/09/2020
• What the ISO/IEC 27001 doesn’t cover: Not Applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Organizational security:; Credentially we are creating and maintaining a platform that is based on world’s best data protection and security standards at all levels. We are registered with ICO and comply with IG SoC. Credentially is actively complies with GDPR (General Data Protection Regulation). Credentially ; Has stablished an industry-leading security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned to the ISO 27001 standards and is regularly audited and assessed by third parties and customers.; ; Personnel security:; Credentially personnel practices apply to all members of the Credentially workforce (“workers”)—regular employees and independent contractors—who have direct access to Credentially internal information systems (“systems”) and / or unescorted access to Credentially office space. All workers are required to understand and follow internal policies and; standards. Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of working at Credentially, all access to Credentially systems is removed immediately.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The product is highly flexible and declarative (no code). These changes can be made by the customer or they can request customer support for assistance. These types of changes to no have a security impact. Audit logs and customer support notes track this changes. ; ; Feature development includes Business Analysis, DPIA, Quality Assurance following best practice guidelines, and end client UAT. ; ; All feature development is document from conception to deployment and patches.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Credentially monitors technical threats, regularly trains staff and improves security as result. ; ; Credentially completes: DPIAs, pen tests, real time monitoring and regular reviews. DAST & SAST processes are in place. As well as OWASP aligned ranking.; ; Response times depend on the situation:; Critical issues are defined as "a problem is classified as critical if the Service is not available, or a significant group of users cannot log in or if there appear to be serious performance or access problems across the entire product." The target resolution is 15 minutes during UK business hours and 2 hours outside of business hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Credentially monitors servers, workstations and mobile devices to retain and analyse a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in production network are logged.; ; Credentially stores production logs for analysis in a separate network. Access to this network is restricted to security team members. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.
• Incident management type: Supplier-defined controls
• Incident management approach: Responding to security incidents; Credentially has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Credentially’s dedicated Computer Security Incident Response Team. Credentially defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Credentially strives to be a leader in environmental sustainability. We believe that a successful future for our business and the customers we serve depends on the sustainability of the environment, communities, and economies in which we operate.; ; As a responsible corporate citizen, we bear a responsibility to consider the impacts of our actions and how they affect the environment, both directly in terms of our own operations, and indirectly through our purchasing decisions, the products and services we offer to our customers, and the business opportunities we pursue.; ; We are fully committed to minimizing the impact of our operations on the environment.

  Covid-19 recovery

  In 2020, the UK Government set up the Covid-19 Clinical Assessment Service (CCAS). A temporary service that was rapidly mobilised as a part of the UK’s national response to the pandemic. Credentially was asked by NHS England to assist in the national Covid response after volunteering their team and technology to assist any NHS provider struggling to quickly onboard an emergency workforce.; ; Credentially was asked to assist and work with existing NHS systems, including, an established web interface, DBS provider, along with calendar and booking systems. Within 3 weeks CCAS had onboarded over 3000 staff.; ; Today, our mission is to create a future in which healthcare professionals are liberated from administrative burdens and compliance complexities, enabling them to dedicate their full attention to delivering exceptional patient care and assisting the Covid-19 recovery. With faster onboarding (from 60 days down to 5) means quicker staffing, easing burnout and putting more healthcare professionals where they're needed most - caring for patients.; ; We are also a key supplier of the NHS Emeritus project which aims to reduce the current NHS backlog.

  Equal opportunity

  Credentially is an equal opportunity employer and is committed to a policy of treating all its employees and job applicants equally. Credentially avoid unlawful discrimination in all aspects of employment including recruitment and selection, promotion, transfer, opportunities for training, pay and benefits, other terms of employment, discipline, selection for redundancy, and dismissal.; ; It is the policy of Credentially to take all reasonable steps to employ and promote employees on the basis of their abilities and qualifications without regard to age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race (including colour, nationality, and ethnic or national origins), religion or belief, sex and/or sexual orientation. In this policy, these are known as the ‘protected characteristics’. Credentially appoint, train, develop and promote on the basis of merit and ability alone.

  Wellbeing

  At Credentially, we are committed to fostering an environment where the well-being of our team is a priority. We believe that a healthy work-life balance is essential for the creativity and productivity necessary to innovate in the software industry. Our comprehensive wellness program supports our employees' physical, mental, and emotional health, ensuring that every member of the Credentially family has the resources and support they need to thrive both in and out of the workplace. Together, we are building a culture that values the health and happiness of our team as the foundation of our success.

Pricing

• Price: £4.13 to £11.00 a user a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Demo accounts can be provided free of charge to larger purchasers. This will be for evaluation purposes only and is time limited.

Service documents

• Pricing document

  PDF

• Service definition document

  ODT

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at colin.breavington@credentially.io. Tell them what format you need. It will help if you say what assistive technology you use.