Background checks

Requirement

HiringCoachAI performs third-party background checks before any worker is granted access to sensitive systems, regardless of worker type (full-time employee, contractor, short-term helper, intern, or volunteer).

A background check is required before any worker is granted any of the following access:

• Production system access
• Customer-data access
• Source-code access
• Vendor-dashboard access
• Administrative access to compliance, security, payment, or identity systems

Sensitive-system access is not automatic for any worker type. The Security Officer approves or denies every request for production, customer-data, source-code, vendor-dashboard, payment, identity, security, or compliance-administrator access based on business need, least privilege, signed confidentiality / acceptable-use terms, training status, and risk.

Exceptions

• Planned exception: any future request to grant sensitive access to a worker for whom third-party screening is operationally infeasible requires formal amendment of this policy, with documented Security Officer approval and written rationale, before access is granted.
• Emergency exception: documented emergency-access exceptions follow the exception process in the patch-management policy.

Current state

Current sensitive-system access is covered by an owner/officer exception to employee/vendor screening, with compensating controls under access control, training, MFA, audit logging, and change management. Before any additional worker receives sensitive access, third-party screening is required.

Limited internal-document collaboration that does not include customer data, source code, production systems, or vendor dashboards does not trigger the screening requirement above.

Background-screening records are retained internally when the requirement is triggered.

Check components

For pre-access screening, at minimum:

1. Identity verification: confirmed via government-issued ID. 2. Employment eligibility: verified per jurisdictional requirements (I-9 in US for full-time employees; equivalent worker-type checks for other workers). 3. Criminal history: national criminal records search (US: multi-state; non-US: equivalent per country). 4. Education / credential verification: for claimed credentials material to the role. 5. Sex-offender registry search (US). 6. Global sanctions / PEP screen (OFAC, EU, UK consolidated lists).

Provider

Preferred: Checkr. Alternatives: HireRight, Sterling, Yardstick. Provider choice is the Security Officer's discretion and may vary by jurisdiction.

The provider's report is retained internally in hashed or redacted form, recording only the date of check, provider, result (pass / fail / pending), and provider reference number. Raw reports are retained by the provider per their policy and are not duplicated locally.

Non-US personnel

Equivalent checks per jurisdiction, respecting local labor and privacy law (e.g., EU may limit criminal-record searches; Germany has strict rules on reference checks). The Security Officer confirms jurisdictional fit before initiating.

Re-checks

For any worker with continuous sensitive access:

• At role change that grants new sensitive access (e.g., promotion to admin or security alternate).
• Every 5 years for workers with continuous production access.
• On credible concern (flagged by another team member, audit finding, external report).

Failure

A "fail" result does not automatically disqualify; the Security Officer reviews with legal counsel if available to determine whether the finding is material to the role. If material, the offer is withdrawn or access is not granted.

Consent

Candidates are informed in writing that a check will be conducted and sign consent (FCRA-compliant in the US for full-time employees; equivalent worker-type consent for other workers) before it runs.

Non-sensitive access (no screening required)

Internal-only access that does not include customer data, source code, production systems, or vendor dashboards does not trigger the screening requirement above. The Security Officer may authorize such non-sensitive access for contractors, short-term helpers, interns, or volunteers when all of the following are true:

• The access is justified by a documented business need
• Access is least-privilege and time-bounded where practical
• Confidentiality / acceptable-use terms are acknowledged before access
• Required security or privacy training is completed before sensitive operational work
• The access level is approved by the Security Officer
• The access scope does not include any of the sensitive systems listed under §Requirement

The Security Officer may deny any access request, narrow the scope, or require the worker to complete third-party background screening before the request is reconsidered.

Related

• Access control policy (provisioning and deprovisioning section)
• Acceptable use
• Information security policy