Terms & Conditions

a. This document outlines the Terms and Conditions (“Terms”) governing the use of GuardCheck, a professional background screening service operated by GuardPass Limited, a company incorporated in England and Wales. These Terms apply to all clients, users, and visitors who engage GuardCheck services. By accessing or using GuardCheck’s services, you agree to be bound by these Terms, including any updates made in accordance with Section 21.

b. Background screening is a sensitive and regulated activity. As such, GuardCheck ensures compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, BS7858:2019, and the NSI Code of Practice NCP 119. These Terms are structured to provide clarity, transparency, and a legal framework for our operations and client relationships.

a. For the purposes of this document:

• “GuardCheck” refers to the vetting service provided by GuardPass Limited.
• “GuardPass Limited” refers to the parent company registered in England and Wales, company number [insert if available].
• “Client” refers to any individual, entity, organisation, or agent who uses GuardCheck services to perform background screening.
• “Candidate” refers to the individual whose data is submitted by the Client for screening.
• “Data Subject” refers to the Candidate under UK GDPR.
• “Report” means the final vetting report prepared by GuardCheck and made available to the Client.
• “Service” means all features, functions, technology, documentation, and services offered through GuardCheck.
• “Third-Party Verifier” includes but is not limited to Yoti (identity, liveness, sanctions), Credit Safe (financial), and Care Check (DBS).
• “Breach” refers to unauthorised access, disclosure, alteration, or loss of data.

a. Clients must:

• Be over the age of 18.
• Be authorised to act on behalf of the organisation they represent.
• Use GuardCheck services strictly for lawful screening purposes.
• Ensure proper vetting justifications and Candidate consent.

b. GuardCheck may refuse service or restrict access at its sole discretion.

a. GuardCheck provides a range of BS7858-compliant background checks including:

• Identity verification (photo ID and biometric matching)
• Liveness and facial recognition (via Yoti)
• Address verification (covering the previous 5 years)
• Career history validation (employment and education)
• Right to Work and SIA licence verification
• Basic and Enhanced DBS checks (facilitated through Care Check)
• Financial credit reports (via Credit Safe)
• Global watchlists, PEPs and sanctions screening

b. Customised services may be requested in writing and approved via written contract amendments.

a. Clients agree to:

• Obtain valid, documented, and informed consent from each Candidate in accordance with UK GDPR Article 6(1)(a).
• Submit only accurate, current, and complete Candidate information.
• Not coerce or mislead Candidates into providing consent.
• Comply with applicable employment laws, data protection regulations, and industry standards.
• Download Reports within 60 days of completion; storage beyond this is not guaranteed.
• Maintain confidentiality of login credentials, reports, and system access.
• Accept full responsibility for employment decisions based on GuardCheck outputs.

a. Candidates must:

• Provide truthful and complete information.
• Disclose relevant employment and address history.
• Participate in the vetting process in good faith.
• Cooperate in case of additional verification requests.

b. Candidates found submitting false documentation may be reported to the Client, disqualified from future screenings, and referred to appropriate authorities.

a. Clients and users must not:

• Share access credentials with unauthorised users.
• Copy, scrape, download, or modify GuardCheck's proprietary systems.
• Distribute Reports or data to unauthorised third parties.
• Use screening results for discriminatory or unlawful hiring practices.
• Attempt to circumvent verification or audit mechanisms
• Submit forged documents or manipulate report outcomes.
• Use GuardCheck in any capacity for spamming, fraud, or harassment.

b. Violations may result in suspension, termination, or legal action.

a. All Candidate data remains the property of the Candidate as the Data Subject.

b. The Client is the Data Controller and must ensure lawful collection.

c. GuardCheck is the Data Processor and acts solely on documented Client instructions.

d. Reports remain accessible to Clients for 60 days post-completion and are then deleted per Section 13.

e. Clients may not resell, license, sub-process, or derive commercial value from GuardCheck's outputs without prior written agreement.

a. GuardCheck relies on Third-Party Verifiers for certain checks. The Client acknowledges that:

• Accuracy, speed, and completeness may vary depending on external systems.
• GuardCheck is not liable for false positives, delayed returns, or failed verifications.
• Third-Party Verifiers are subject to their own terms and standards.

a. GuardCheck provides Reports on a best-effort basis but:

• Does not warrant the completeness, accuracy, or fitness for any specific purpose.
• Is not liable for downstream decisions made using its Reports.
• Is not responsible for employment suitability, legal compliance of Clients, or Candidate actions.
• Limits liability to the total service fee paid by the Client for the report in question.
• Is not liable for indirect, consequential, incidental, or punitive damages

a. GuardCheck implements and enforces:

• AES-256 encryption for data at rest.
• TLS 1.2+ for data in transit.
• Endpoint protection and antivirus (Bitdefender).
• Device control policies restricting USB and external storage.
• Screen capture, download, and printing disabled for sensitive views.
• Multi-factor authentication for admin access.
• Secure vetting rooms (CCTV-monitored, fingerprint access).
• DLP, anomaly detection, and audit logging for compliance monitoring.

a. All data accessed in Pakistan is covered by the UK IDTA (International Data Transfer Agreement) and UK GDPR.

b. GuardCheck staff in Pakistan undergo police checks and compliance onboarding.

c. No data is stored on local systems; all access is VPN-gated and monitored.

d. Any changes to international processing vendors or jurisdictions will be communicated with clients.

a. GuardPass Limited, the parent company operating GuardCheck, has conducted a formal Data Transfer Impact Assessment (DTIA) in accordance with Articles 44-49 of the UK General Data Protection Regulation (UK GDPR). This assessment pertains specifically to the transfer of personal data from the UK to Pakistan, where GuardCheck's vetted administrative personnel perform background screening functions under strict technical and organisational safeguards.

b. Purpose and Legal Framework

• The DTIA was implemented to assess the legal, technical, and operational risks of data transfers to Pakistan, a country without a UK adequacy decision. GuardCheck ensures compliance by:
1. Executing a UK International Data Transfer Agreement (IDTA) with its Pakistan-based processors.
2. Applying supplementary measures to safeguard Candidate data.
3. Reviewing DTIA findings annually or upon regulatory or risk landscape changes.

c. Nature and Scope of Data Transfer

• Data Subjects: Candidates undergoing BS7858-compliant background checks.
• Categories of Data Transferred: Identity documents, name, address, 5-year career and address history, financial and criminal records, education, and licensing data.
• Purpose of Transfer: To allow administrative staff in Pakistan to carry out detailed vetting checks in accordance with UK security industry requirements.
• Frequency: Ongoing, as part of business operations.
• Retention: All data is automatically deleted after 60 days post-completion of vetting.

d. Risk and Hazard Assessment

• Legal and Regulatory Risk in Pakistan
1. Hazard: Absence of a national data protection law equivalent to UK GDPR.
2. Impact: Lack of legal recourse for UK-based data subjects.
3. Controls:

a. Binding contractual terms under IDTA.

b. No sub-processing permitted.

c. Background checks (police verification) for all administrative staff.

• Government Access Risk
1. Hazard: Potential access requests by Pakistani government entities.
2. Impact: Undue exposure of personal data.
3. Controls:

a. Encryption at rest (AES-256) and in transit (TLS 1.2+).

b. Restricted access through VPN and MFA.

c. CCTV-monitored, biometric-secured vetting environment.

d. Staff have no ability to download, screen capture, or print data.

• Cybersecurity and Breach Risk
1. Hazard: Data leakage due to malware or unprotected endpoints.
2. Controls:

a. Endpoint encryption, device locking, USB blocking.

b. DLP systems monitor all data activity, including read-only views.

c. Regular penetration testing and anti-virus protections.

• Insider Threat or Human Error
1. Hazard: Hazard: Accidental or malicious misuse of candidate data.
2. Controls:

a. Fingerprint-restricted access.

b. No personal devices allowed in secure rooms.

c. Screen locking policies, ongoing CCTV monitoring.

d. Staff subject to training, annual assessments, and confidentiality agreements

Residual Risk Assessment

• Following implementation of all security, legal, and organisational safeguards, GuardPass has concluded that the residual risk for international processing is low and acceptable under UK GDPR.
• Residual risk levels:
1. Legal enforcement risk: Low to moderate
2. Government access risk: Low
3. Cybersecurity breach risk: Low
4. Insider threat/human error: Low

f. Supplementary Measures Summary

• AES-256 encryption at rest
• TLS 1.2+ encryption in transit
• DLP to detect viewing access
• Endpoint device controls (no downloads, no USBs)
• Fingerprint-secured rooms
• CCTV surveillance
• Mandatory GDPR training and testing
• 60-day data retention with enforced deletion

g. Client Acknowledgement and Access

• By using GuardCheck, Clients:
1. Acknowledge the existence and scope of the DTIA
2. Agree that appropriate safeguards are in place for overseas processing
3. Accept the adequacy of GuardCheck's residual risk mitigation

h. Clients may view a copy of the DTIA by contacting the DPO (contact information provided below).

a. GuardCheck maintains a documented Data Breach Response Policy. In the event of a confirmed or suspected breach:

• Clients will be notified within 72 hours of discovery, where applicable.
• Affected Candidates will be informed without undue delay if their rights are likely impacted.
• Containment, investigation, and corrective measures will begin immediately upon detection.
• Incident logs, root-cause analyses, and remediation steps will be documented and retained.

b. Clients are responsible for:

• Immediately reporting any suspicious or malicious system activity observed.
• Notifying GuardCheck of unauthorised access or use of their credentials.

c. Breach-related communications will be handled transparently by GuardCheck's DPO.

a. Clients agree to indemnify and hold harmless GuardCheck (and GuardPass Limited), its affiliates, directors, employees, and subcontractors against any claims, liabilities, losses, costs, or damages arising from:

• Misuse of the platform or submitted data.
• Failure to obtain valid Candidate consent.
• Violation of employment laws or data protection obligations.
• Use of Reports for discriminatory, unethical, or unlawful hiring practices.
• Submission of fraudulent or misleading information.

b. This indemnification applies regardless of whether the claim arises from negligence, omission, or direct action by the Client.

a. GuardCheck shall not be liable for any failure or delay in performance due to:

• Natural disasters (e.g., flood, fire, earthquake).
• Epidemics or pandemics
• Acts of terrorism or war
• Government mandates or embargoes
• Internet, power, or network failures
• Labour strikes or civil unrest

b. In such cases, affected obligations shall be suspended for the duration of the force majeure event. If force majeure persists for more than 60 days, either party may terminate the affected portion of the agreement with written notice.

a. GuardCheck may terminate or suspend access to its services, with or without notice, if:

• These Terms are breached (e.g., unauthorised access, misuse of reports).
• False or misleading information is submitted by the Client.
• The Client’s actions compromise system integrity, data security, or other users.

b. Upon termination:

• Access to all platforms will be revoked.
• Outstanding fees become immediately payable.
• All Candidate data and Reports must be deleted by the Client.
• No refunds will be issued for completed services.

c. Clients may request voluntary termination by providing 30 days' written notice. However, completed services remain billable.

a. GuardCheck strives to provide:

• 99% uptime availability, excluding scheduled maintenance.
• Response to standard support queries within 1 business day.
• Turnaround for typical BS7858 Reports within 3-7 working days, subject to candidate cooperation and third-party verifier timelines.

b. Delays may arise from:

• Candidate non-responsiveness
• Delays at data sources (e.g., DBS, employers, academic institutions)
• Incomplete or inconsistent documentation

c. Service credits may be offered for systemic disruptions lasting longer than 48 hours, at GuardCheck's sole discretion.

a. GuardCheck may revise these Terms:

• To reflect changes in law, standards, services, or technology.
• Upon introducing new service features or vetting capabilities.

b. Changes will be communicated by:

• Email to the Client's registered contact.
• Platform or portal notifications.

c. Material changes will be provided 30 days' advance notice. Continued use of GuardCheck post-notification constitutes acceptance of the revised Terms.

a. GuardCheck reserves the right to conduct internal audits and retain audit logs in line with BS7858.

b. Clients may request audit documentation related to their screenings upon written request.

c. Any formal regulatory request (ICO, SIA, NSI) will be cooperated with fully.

d. Clients must:

• Retain audit logs and Reports as required by applicable regulations.
• Notify GuardCheck of any regulatory investigation or audit involving GuardCheck Reports or processes.

a. These Terms:

• Represent the entire agreement between the parties.
• Supersede all prior verbal or written communications.
• Shall be read in conjunction with any separate Data Processing Agreements (DPAs) or contracts.
• If any clause is held to be invalid or unenforceable, the remainder of the agreement will continue in full force.

a. These Terms are governed by and construed in accordance with the laws of England and Wales. In the event of a dispute:

• The parties agree to attempt resolution via good faith negotiation.
• Failing that, disputes shall be submitted to mediation under the Civil Mediation Council framework.
• If unresolved, disputes shall be adjudicated exclusively by the courts of England and Wales.

a. GuardCheck, a service of GuardPass Limited

• 1 Fore Street Avenue, London, EC2Y 9D

• info@guardpass.com

b. DPO: Shahab Ali, Managing Director

• Email: shahab@guardpass.com