Compliance documents
Last reviewed 2026-05-22
Below is the catalog of compliance documents we publish, grouped by topic. The published prose covers policy, posture, and the controls actually in place; operationally sensitive specifics (runbook commands, escalation contacts) are kept internal and can be summarized for procurement reviewers on request.
Need a HECVAT or vendor questionnaire response? Email [email protected].
Security & privacy
- Security overview
How we protect customer data: the controls actually in place today. - Privacy policy
Lawful basis, data subject rights, transfers, retention, contact. - Cookie policy
What cookies we set, why, and how to manage them. - AI use disclosure
How we use AI, with what data, and your control over it. - AI model inventory
Every model and provider invoked in production. - AI bias evaluation
Annual fairness review of our AI outputs. - AI high-risk evaluation
HiringCoachAI's posture on the high-risk AI evaluation questions assessed during higher-education vendor reviews (data handling, model lifecycle, safety controls, transparency, bias evaluation). - Sub-processors
Third parties that may process customer data on our behalf. - Data Processing Agreement (template)
Template DPA covering controller/processor roles, sub-processors, transfers, CCPA/CPRA, and FERPA addendum at §19. - Data Retention Policy
Per-data-class retention periods, backup posture, and account-deletion handling. - Responsible disclosure
How to report a security vulnerability.
Data handling
- Data classification
How we tier data sensitivity and the controls each tier triggers. - Data residency
Where customer data is stored. - Data map
Personal data we collect, by purpose and lawful basis. - Logging & retention
What we log, where, and for how long.
Program
- Information security policy
The high-level policy that governs our security program. - Access control policy
How access is granted, reviewed, and revoked. - Secure development lifecycle
How code change makes it from a developer's keyboard to production. - Change management
Categories, approvals, deployment windows, and customer notifications. - Patch management
Dependency vulnerability triage SLAs. - Background checks
Pre-employment screening for personnel with production access. - Acceptable use
What customers may and may not do with the platform. - Security awareness training
Mandatory training for everyone with access to production systems. - Security awareness training module
The plain-language training module personnel acknowledge during onboarding. - Privacy and data handling training module
The plain-language privacy and data-handling module personnel acknowledge during onboarding. - Responsible AI training module
The plain-language responsible-AI module personnel acknowledge during onboarding. - Incident reporting training module
The plain-language incident-reporting module personnel acknowledge during onboarding. - Device and physical security training module
The plain-language device and physical-security module personnel acknowledge during onboarding. - Accessibility training module
Role-specific accessibility training for personnel assigned UI or accessibility responsibilities. - Accessibility statement
Our accessibility commitment, current verification status, conformance claim, feedback channel, and response/remediation targets. - Accessibility roadmap
Planned accessibility improvements, timelines, and progress-tracking sources. - Physical security
Endpoint and remote-work controls; we operate no first-party datacenters. - Glossary
Acronyms and terms used across HiringCoachAI's HECVAT responses, compliance documents, and trust-center pages. - Breach notification
Our 72-hour GDPR-aligned notification process. - Vendor risk management
How we assess, contract with, and re-review sub-processors throughout their lifecycle.
Framework mappings
- NIST CSF 2.0 mapping
Our controls mapped to the NIST Cybersecurity Framework 2.0. - NIST Privacy Framework mapping
Our privacy program mapped to the NIST Privacy Framework v1.0. - CIS Controls v8 IG1 mapping
Our controls mapped to CIS Critical Controls v8 IG1. - Deployment model
Multi-tenant SaaS architecture and the boundaries within it. - Architecture
Component diagram and trust boundaries. - Data flow diagram
How data moves through the system.
Resilience
- Business continuity plan
Activation triggers, dependencies, response structure, and testing cadence. - Disaster recovery plan
RTO/RPO commitments. Specific commands and contacts are internal. - Incident response
Severity levels, response phases, customer notification timelines. - Internal audit program
Quarterly self-audit checklist covering identity, secrets, data, app sec, monitoring, and resilience.