CDD Services Ltd

Spotlite Right to Work and Pre-employment screening, with optional Basic, Standard and Enhanced DBS

We provide a certified ISP and OSP solution under DSIT's Digital Trust Framework, and are a registered DBS Umbrella body.
We improve moblisation of resources and access to services within the VCS, streamlining due diligence processes, whilst enhancing trust in digital identities.

Features

• Reusable Digital Wallets
• Reusable Digital Identity
• Real time Identity Checks
• Digital Due Diligence
• API available
• Integrated DBS e-Bulk system - Basic, Standard & Enhanced DBS
• Real Time Pre-employment Screening, face to face and remote
• Perpetual compliance

Benefits

• Supports rapid mobilisation of resources
• Rapid access to services
• Support for vouching and digital inclusion
• Real time audit protecting licence to operate
• Simple integration to open standards reducing implementation costs
• All in one RTW and DBS process, removing multiple processes
• Quickly onboard new employees
• Ongoing Risk Management

£1.75 to £2.50 a transaction

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at susan.drew@cdd.services. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

866089872278852

Contact

Susan Drew
07785578088
susan.drew@cdd.services

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Personal Data Stores and CRM systems
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: Support is within normal business working hours unless specifically contracted for alternative cover.; Planned maintenance is carried out with two weeks notice and out of normal business hours.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response within 1 hour within normal business hours and tickets are priorities for resolution.; Out of hours cover can be provided if required.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Spotlite is available 24/7. Whilst our support team is available Monday to Friday, 8:00 to 18:30 (excluding bank holidays), we have systems in place to make sure Spotlite stays up and running even outside of those hours. If there's an interruption to the Spotlite service, our systems will usually automatically restart or switch to another data centre, and we'll be alerted to any issues. ; ; Resolution to technical issues; SLAs exist for responding to technical issues based on the Severity of the issue.; Escalation process; The Applicant escalation process is Agent, FAQs, Support, Technical Support, Account Manager.; Support is provided within the service. ; Extra support services can be provided as required by the contract.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The quickest way to get started is with a Pay As You Go (PAYG) account. All you need to do is to register on our website. You then create teams and agents, assign agents to teams and start sending invites to applicants. It's that easy! ; ; Our subscription services provide a more tailored experience to cover additional value-add services. The setup time varies depending on the extent of configuration you require from day one. ; ; As regards business readiness, for PAYG we offer two 30-minute training sessions on a ‘train the trainer’ approach. The material covers everything you need for the day to day running of the system, including: ; ; How you set up organisation structures, agents, and job roles ; ; How to send invites and check the results ; ; How to submit DBS checks and receive the results ; ; For a standard Spotlite Subscription, we budget for two weeks for setup, testing and training – although the actual time required will vary depending on your requirements.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Our exit strategy includes providing our customers with access to all their documents and data in a format that is easy to extract and transfer to another solution or provider. We ensure that the data is delivered in a secure and compliant manner to protect the privacy and security of our customers' data. ; ; Our team is available to work with our customers throughout the transition process, providing guidance and support to ensure a smooth and hassle-free transition. We also ensure that our customers are fully aware of the process and the steps required to extract their data and DBS certificates. ; ; The phase out and exit plan is very simple as follows: ; ; You stop processing applications ; ; Those applications in flight, complete their journey ; ; Whilst all applications are completing, you start the downloading the relevant data tables from the View Activity Portal ; ; If you are not downloading individual Spotlite Certificates as part of their business-as-usual workflows, we will provide a download of Certificates en-masse as required. ; ; We are committed to ensuring that our customers are fully satisfied with our services, and that includes supporting a comprehensive exit strategy.
• End-of-contract process: There are no additional contract costs to our standard service.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our Spotlite app for applicants provides -; Digital ID; Right to Work; DBS; Pre-Employment Screening; Right to Rent; With more smartphones used than computers, Applicants prefer the natural simplicity of completing their checks on their phone. Our propriety Spotlite app and compliance platform removes unnecessary friction, effort and cost when conducting due diligence checks on individuals. ; ; What’s more, once the Data Protection and Digital Information Bill is passed in the next few months, our Spotlite customers are well placed to take advantage of the new data sharing Scheme once they are available – buying into the future of proof.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: We have agent and applicant web portals supporting multiple user journeys and workflows.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We are committed to making our websites and apps as accessible as possible in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations2018 and WCAG2.1.AA. ; Where Spotlite UI components are inadvertently published which do not meet these standards, we will remediate the situation as soon as possible. ; ; Spotlite was externally audited and certified against Section 13.4 of the UK Government’s Digital Identity and Attribute Framework.
• API: Yes
• What users can and can't do using the API: Spotlite's API can be called from your own systems.; ; It has been designed to seamlessly integrate with Applicant Tracking Systems (ATS), enabling the ATS to drive Spotlite’s processes and receive the results. ; ; In Spotlite a Service is defined within the context of a Service Pack which in turn is defined within a Scheme. Examples of two such public Schemes are Right to Work (RTW), administered by the Home Office, and DBS administered by DBS. Other commercial Schemes will become available over the next few years as the UK’s Trust Framework roles out across multiple markets. ; ; Out of the box Spotlite comes with a set of different Services for RTW and Standard and Enhanced DBS. ; ; Spotlite's integration with an Applicant Tracking Systems is achieved through a standard API that acts as a bridge between the two systems. The API enables seamless data exchange. The integration covers the transfer of Applicant details, real-time updates on the assessment process and efficient document retrieval. This level of integration ensures that Spotlite can be effectively incorporated into existing ATS workflows, enhancing the overall efficiency of the recruitment and assessment processes.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Spotlite is designed to be fully customisable to meet the unique needs of different user groups. With Spotlite, you can manage and optimise your application process, automating the flow and monitoring progress every step of the way.

Scaling

• Independence of resources: Our services are always available thanks to our high availability plan with Microsoft Azure, ensuring a 99.99% uptime and a quick response time SLA of under 3 seconds. ; ; Our databases are constantly backed up through transaction logging. With the Spotlite database and associated document containers, we can restore your data to a specific point in time, so we don’t have to take the system down while we take backups. ; ; Our services and databases are mirrored across two data centres, UK South and UK West, ensuring Spotlite remains available even in the event of a data centre failure.

Analytics

• Service usage metrics: Yes
• Metrics types: Spotlite provides Business Intelligence and management information, available as a dashboard and has the ability to download data in a number of formats including Excel and business Intelligence tools such as Power BI. The tools link to Spotlite’s cutting-edge OLAP Snowflake Database Schema. ; ; Access is via Spotlite’s View Activity Portal, allowing authorised users to download reports. ; ; Spotlite can be configured to handle multiple department and team structures, application data can be ‘sliced and diced’ according to those structures. Additional dimensions include time, service, Applicant and Agent demographics, channel, etc.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: Spotlite encrypts:; Secure information and data while stored whether active, archived or otherwise, processed and handled ; Protect user credentials ; Enable secure communications and connections ; Enable verification, authentication, identification and validation ; Secure ad-hoc internet/networked connections between ICT systems and devices ; Minimum Encryption Algorithm is AES 128 Bit ; Minimum Transport Secure Layer to use is TLS 1.2 - we can use TLS 1.3 where available ; Azure SQL Server and Application services Encryption and Security ; VPN and Data Transport ; NCSC Cryptography advice and guidance for IPsec. ; Recommended Profile (2022) - RSA with 2048-bit modulus and SHA256 digests authentication method ; Certificate and Key Management
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be downloaded directly from the Spotlite portal in the form of a PDF document or via the API.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Json
  • XLS
  • PDF
  • Power Bi interface
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • Word
  • XLS

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Our services are always available thanks to our high availability plan with Microsoft Azure, ensuring a 99.99% uptime and a quick response time SLA of under 3 seconds. Our databases are constantly backed up through transaction logging. With the Spotlite database and associated document containers, we can restore your data to a specific point in time, so we don’t have to take the system down while we take backups. Our services and databases are mirrored across two data centres, UK South and UK West, ensuring Spotlite remains available even in the event of a data centre failure.
• Approach to resilience: Available on request
• Outage reporting: There is a service availability page on the website and we provide an email alert and updates in respect of any System availability issues e.g. Home Office Share Code system unavailable.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: There is full control over the access rights of users and levels. Each Team can be locked into a specific pack of services, functions and application types that are unique for that team. ; ; We also provide: ; ; Simple Identity Authentication – Single Sign On supported by digital identity ; ; User-Defined Application Management – Role Based Access Control to functions ; ; Customisable Business Intelligence – Oversight and control of who is doing what
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Citation
• ISO/IEC 27001 accreditation date: 18/12/2023
• What the ISO/IEC 27001 doesn’t cover: DIATF certification accredited by NQA on 24/02/2024
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: DIATF

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We hold and regularly review all information security policies and processes in line with the requirements of ISO27001, including: -; Information Security Policy; ; Information Security Investigation Policy; ; ISMS Statement of Applicability; Information Security Incident Log; Archiving & Retention Policy; ; Data Management Policy; ; Data Protection Policy ; ; Logging Monitoring & Access Policy; ; Risk Assessment and Treatment Methodology

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: As part of our ISO27001 procedures, all changes are controlled, managed and traceable to the original enhancement request or service incident. System updates are governed by an in-house weekly Design Authority Team who assess end-to-end impacts before changes are released. This includes technical and user documentation. ; ; We also utilise Jira/Atlassian for Technical Changes: ; For example, upgrade a server (VPN) or deploy a patch to Spotlite Application are Technical Changes and will route via a Technical Authorisation.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Required
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Internal controls to monitor performance and drive continuous improvement: ; ; Freshdesk: all incoming queries are routed to the relevant team and tracked ; ; Service and Incident Teams Channel: where a technical incident occurs, the relevant internal terms are alerted though a dedicated channel. Resolution actions are tracked and monitored on the channel. ; Quality Control: at pre-set levels; Service and Incident Stand-up: each morning to review the events of the previous day and address any blockers ; ; Quality Assurance: Where we identify trends or software bugs, we look to establish route cause. We then seek to remediate the root causes as quickly as possible
• Incident management type: Supplier-defined controls
• Incident management approach: In line with ISO standards we have a Security Incident Process and also hold a dedicated Service and Incident Teams Channel: where a technical incident occurs, the relevant internal terms are alerted though a dedicated channel. Resolution actions are tracked and monitored on the channel. ; ; Service and Incident Stand-up: each morning we have a set of ‘stand-up’ calls where we review the events of the previous day and address any blockers.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Our SafeGuarden brand is a major social value initiative in the VCS sector called SafeGuarden Volunteers, born from working with others to help detect modern slavery within construction supply chains and designed to help VCS organisations. ; ; SafeGuarden will allow individuals to participate in the digital economy by offer a vouching service for those who do not possess a smartphone, tablet, or the appropriate documents to on-board remotely. The Scheme will aim to be as inclusive as is possible with mobile technology. ; ; Once a volunteer is onboard, SafeGuarden will regularly check both the DBS Update Service and the DVLA for any changes in the status of the Volunteer. ; ; SafeGuarden will deliver efficiency savings and improved service levels by significantly reducing processing timescales for DBS and DVLA checks and renewals. ; ; Finally, once SafeGuarden if financially sustainable, a proportion of surplus revenue will be returned to each of the participating charities. ; ; The Scheme will be certified under the Government’s Digital Trust Framework once the Data Protection and Digital Information Bill is passed through Parliament.

Pricing

• Price: £1.75 to £2.50 a transaction
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: The user would have access to the PAYG version of Spotlite include the basic web portal and apps and credits to allow them to process two basic checks.; They would not have access to the full portal, API, MI or DBS services.; Two weeks usage unless specifically arranged otherwise.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at susan.drew@cdd.services. Tell them what format you need. It will help if you say what assistive technology you use.