Completed background checks are stored in the data room, and pulled reports can be archived via the three dot menu. For additional questions or help with this, please reach out to our support team!

Currently, there is no direct way to cancel or retract a background check once it has been initiated. However, if you need to exclude a user from background checks you can move the user to a group that is exempt from background checks.

This will effectively prevent the system from requiring or processing a background check for that user moving forward.

Note: This does not delete or undo any actions already taken by the background check provider. If needed, reach out directly to the provider for further support on reversing or stopping the check.

During employee onboarding, employees will provide the email used to consent to background checks. If completed with a different vendor, the system will pull the completed checks for the user.

Vetty is no longer offered as a background check option for new customers. Secureframe now only supports Checkr for background check integrations. If you are an existing customer currently using Vetty, your connection will continue to work. For questions or help setting up Checkr, please reach out to our support team!

If no new hires occur during the audit window, the client does not need to provide any evidence related to background checks.

No — it does not restart an existing check. The Initiate Background Check button is only clickable when a check has not yet been started. If a check is already in progress or completed in the system, the option will be disabled or removed. For previously completed background checks, admins can instead upload the existing report manually to the Data Room for evidence.

Enter the email used during your background check. If you've completed a background check previously (with Checkr or Vetty), use the same email address to backfill the completed check.

No need to re-run background checks. Background checks not done with an integrated vendor can be used; they just need to be uploaded manually.

Background checks should be performed within accordance with the company's policy, typically within 30 days of hire.

Background check results should be retained at least through the duration of employment and in accordance with your organization-defined re-screening frequency. This allows you to demonstrate compliance with your policy during an audit.

Organizations typically define re-screening intervals such as annually, or every 3–7 years. To meet audit requirements, you should be able to provide evidence that background checks were completed and refreshed based on your stated policy.

Recommended policy:

Define a clear re-screening frequency in your Background Check or relative Policy (e.g., every 3 years).

Retain background check results for the length of employment plus the re-screening interval (e.g., 3 additional years after separation if that’s your re-screening period).

Ensure secure storage with restricted access to these records.

Always consult with your legal or HR team for additional guidance on applicable data retention laws in your jurisdiction.

Since SOC 2 is forward-looking, only newly hired employees need to complete a background check. If a customer is performing a Type 1 audit and does not plan to hire in the near term, it's recommended to have one background check completed to provide evidence for that control. All in-scope contractors must have a background check performed. For non-US-based employees, uploading their resume and references can satisfy this control.

SOC 2 does not specify the type of background checks. As long as background checks are performed, it is up to the organization to decide what type of checks to conduct on employees.

SOC 2 does not require organizations to automatically disqualify employees for minor or historic offenses. The key auditor expectation is that a background check is performed and that the organization follows a documented, risk-based decision process for how results are evaluated and handled.

If a background check identifies a minor or older violation, this can typically be addressed through:

Documented risk assessment and rationale

Appropriate access controls or role restrictions (if needed)

Increased monitoring where relevant

Formal risk acceptance by management

Auditors are primarily looking for evidence that the organization:

Performs background checks consistently

Evaluates results thoughtfully rather than punitively

Aligns access and controls with assessed risk

Moving from resumes to formal background checks is generally viewed as a maturity improvement, not a deficiency, even if historic checks were not performed previously.

ISO 27001 does not mandate background checks, but it is a best practice to perform third-party background checks on employees in critical roles. Background screening prior to employment is recommended and may include verification of references, resume accuracy, identity, and criminal or credit history.

Correct. ISO 27001 requires appropriate pre-employment screening based on local labor laws and organizational policy.
If background checks are restricted or not customary in that jurisdiction, alternative methods such as résumé review, reference checks, or interview-based screening are sufficient.

No, retroactive background checks are not required.
It is sufficient to have a documented background check policy in place and to provide evidence that background checks have been consistently performed since the policy was enforced (e.g., for all new hires after 2022).

Auditors generally look for:

A formally approved and enforced policy

Evidence that the control is operating as designed going forward

Consistent application from the policy effective date onward

As long as background checks are completed for new hires per the policy and this can be demonstrated with evidence, this approach is acceptable for both ISO 27001 and ISO 9001.

While HIPAA does not explicitly require background checks, it is recommended for all personnel, especially those with access to PHI, to undergo background checks. Some organizations may choose to bypass this requirement if it is not feasible.

Yes, but background check requirements vary by country. Some countries may have laws prohibiting background checks for contractors, so it's important to check local regulations.

Background checks depend on local laws. In countries like Canada, India, and China, background checks may be restricted or not required. In such cases, a resume or alternative proof may be acceptable.

Timing is driven by Checkr and the check package your organization ordered (criminal scope, county searches, etc.), not by a fixed clock inside Secureframe. In practice, many employment packages complete in roughly a few business days, while some searches (for example, certain county records) can take longer when courts or agencies are slow to respond.

Vitally is the tool we use to share and track your Secureframe implementation plan. You may receive links from a vitally.io domain that guide you through key onboarding steps. This is part of your Customer Success experience and helps ensure you stay on track with your compliance journey.