NIST Privacy Framework mapping
Last reviewed 2026-05-12
This document maps HiringCoachAI's privacy program to the NIST Privacy Framework v1.0 Core. It is a current-state self-assessment for privacy due diligence and HECVAT support.
The current mapping baseline is NIST Privacy Framework v1.0, published January 2020. NIST Privacy Framework 1.1 remains in Initial Public Draft status as of this review; HiringCoachAI will review the final 1.1 Core after NIST publishes it.
Status Key
| Status | Meaning |
|---|---|
| Implemented | The outcome is addressed by current policy, process, product behavior, provider controls, or review evidence. |
| Partial | The outcome is addressed in part, but coverage is intentionally limited by current product scope or a documented roadmap item. |
| Provider-managed | The outcome is primarily handled by managed cloud, hosting, identity, payment, or infrastructure providers under vendor controls reviewed through the vendor-risk program. |
| Not applicable | The outcome is not applicable to HiringCoachAI's current cloud-hosted SaaS scope. |
Current Privacy Program Scope
HiringCoachAI processes account, authentication, career-content, resume, job-search, coaching, billing identifier, support, usage, and security-event data for a cloud-hosted SaaS product. The service is not designed to collect HIPAA-regulated protected health information, payment-card primary account numbers, card verification values, card-track data, government identifiers, children's personal data, or secrets. Because users can enter free text, unexpected regulated data may be submitted inadvertently; those cases are handled under confidential-data safeguards, data-subject request procedures, deletion procedures, and incident-response processes.
The privacy program uses the following evidence sources:
| Evidence area | Current sources |
|---|---|
| Privacy notice and user rights | Privacy Policy, Cookie Policy, Data Processing Agreement template |
| Data inventory and data flow | Data Map, Data Flow Diagram, Architecture, Data Residency |
| Vendor and processor governance | Sub-Processors List, DPA Register, Vendor Risk Management Policy |
| Privacy risk governance | Internal Audit Program, Information Security Policy, AI Use Policy, AI Model Inventory, AI Bias Evaluation |
| Data lifecycle | Data Retention Policy, Account Export, Account Deletion, Breach Notification |
| Access and protection | Access Control Policy, Acceptable Use Policy, Security Overview, Logging and Retention, Patch Management, Change Management |
| Resilience and response | Incident Response, Business Continuity Plan, Disaster Recovery Plan, Responsible Disclosure |
| Training and personnel | Security Awareness Training, Privacy/Data Handling Training Module, Background Checks, Access Control Policy |
Function Coverage Summary
| NIST Privacy Framework function | Coverage | Summary |
|---|---|---|
| Identify-P | Implemented with partial third-party ecosystem depth | Data categories, processing purposes, systems, providers, processing locations, and core privacy risks are inventoried. Vendor reassessment is operating, with vendor assurance based on standard published terms, DPAs, and trust materials where available. |
| Govern-P | Implemented | Privacy roles, policies, training, legal obligations, risk review, data-subject request processes, complaint intake, and internal audit cadence are documented. |
| Control-P | Partial | Account export, account deletion, consent management, data retention, and user-editable data support the core privacy controls. Granular consent propagation, advanced de-identification, and user-selectable data-processing controls are scoped per feature. |
| Communicate-P | Implemented with partial data-lineage depth | Privacy notice, cookie notice, AI disclosure, sub-processor notice, breach-notification process, and privacy mailbox are in place. Detailed per-record provenance and downstream disclosure records are limited to current product and vendor registry scope. |
| Protect-P | Implemented with provider-managed components | Access control, encryption, logging, vulnerability management, change management, resilience, incident response, and provider-managed physical/infrastructure safeguards are documented. Hardware integrity and datacenter maintenance are provider-managed, not first-party controls. |
Detailed Category Mapping
| NIST category | Subcategories covered | Coverage | HiringCoachAI controls and evidence |
|---|---|---|---|
| ID.IM-P: Inventory and Mapping | ID.IM-P1 through ID.IM-P8 | Implemented | Data Map inventories personal data categories, processing purposes, processors, locations, retention, and data flows. Architecture and Data Flow Diagram identify systems and component interactions. Sub-Processors List and DPA Register identify third-party processors. |
| ID.BE-P: Business Environment | ID.BE-P1 through ID.BE-P3 | Implemented | Deployment Model, Privacy Policy, DPA template, and Information Security Policy define HiringCoachAI's role as SaaS provider, processor/service-provider posture for customer end-user data, and controller/business posture for direct account and operational data. |
| ID.RA-P: Risk Assessment | ID.RA-P1 through ID.RA-P5 | Implemented | Internal Audit Program includes privacy checks, data-subject request tests, vendor review, AI governance review, and retention verification. AI Bias Evaluation evaluates algorithmic-output risk. Threat Model and Data Classification support risk prioritization. |
| ID.DE-P: Data Processing Ecosystem Risk Management | ID.DE-P1 through ID.DE-P5 | Partial | Vendor Risk Management Policy, DPA Register, Sub-Processors List, and Data Map identify vendors, data categories, contractual posture, SCC posture, review cadence, and offboarding expectations. ID.DE-P4 is generally not applicable to the current cloud-hosted SaaS delivery model except through standard DPAs, SCCs, and customer DPA terms. |
| GV.PO-P: Governance Policies, Processes, and Procedures | GV.PO-P1 through GV.PO-P6 | Implemented | Privacy Policy, Information Security Policy, Data Classification, Access Control Policy, AI Use Policy, Data Retention Policy, and DPA template establish privacy values, requirements, roles, processing conditions, retention, and user-rights commitments. |
| GV.RM-P: Risk Management Strategy | GV.RM-P1 through GV.RM-P3 | Implemented | Internal Audit Program, Vendor Risk Management Policy, Threat Model, and risk-tiering in vendor review define risk ownership, tolerance, review cadence, and escalation expectations. |
| GV.AT-P: Awareness and Training | GV.AT-P1 through GV.AT-P4 | Implemented | Security Awareness Training, Privacy/Data Handling Training Module, Acceptable Use Policy, Access Control Policy, DPA terms, and vendor contracts address privacy-related responsibilities for personnel and third parties. |
| GV.MT-P: Monitoring and Review | GV.MT-P1 through GV.MT-P7 | Implemented | Internal Audit Program, document-review cadence, vendor review cadence, privacy mailbox, data-subject request process, breach-notification process, and incident-response lessons-learned process provide ongoing review and response to privacy issues. |
| CT.PO-P: Data Processing Policies, Processes, and Procedures | CT.PO-P1 through CT.PO-P4 | Implemented | Privacy Policy, Cookie Policy, DPA template, Data Retention Policy, account export, account deletion, consent management, and SDLC documentation establish processing authorization, rights request handling, retention, and data lifecycle expectations. |
| CT.DM-P: Data Processing Management | CT.DM-P1 through CT.DM-P10 | Partial | Account export and deletion support review, portability, transmission, alteration, and erasure. Retention procedures support destruction. Audit logging is documented with data-minimization expectations. Granular permission propagation across all data elements, and stakeholder privacy preferences as explicit algorithmic constraints in every AI workflow, are scoped per feature. |
| CT.DP-P: Disassociated Processing | CT.DP-P1 through CT.DP-P5 | Partial | User-scoped identifiers, logical tenant separation, encryption, restricted fields, data minimization, and analytics consent controls reduce unnecessary observability and linkage. Advanced privacy-preserving computation, broad de-identification, and attribute-substitution patterns are not universal because the service must process user-identifiable account and career content to deliver the product. |
| CM.PO-P: Communication Policies, Processes, and Procedures | CM.PO-P1 through CM.PO-P2 | Implemented | Privacy Policy, Cookie Policy, AI Disclosure, DPA template, Sub-Processors List, Breach Notification, and designated privacy/security contact channels define how privacy practices and risks are communicated. |
| CM.AW-P: Data Processing Awareness | CM.AW-P1 through CM.AW-P8 | Partial | Public privacy notices, cookie notice, AI disclosure, trust-center documents, privacy mailbox, breach-notification process, export/deletion mechanisms, and customer DPA support transparency and requests. Detailed data provenance/lineage records and downstream disclosure records are maintained within current vendor and audit registries. |
| PR.PO-P: Data Protection Policies, Processes, and Procedures | PR.PO-P1 through PR.PO-P10 | Implemented | Security Overview, Access Control Policy, Change Management, SDLC, Patch Management, Incident Response, Business Continuity Plan, Disaster Recovery Plan, Background Checks, and vendor-managed backup controls establish protection procedures. |
| PR.AC-P: Identity Management, Authentication, and Access Control | PR.AC-P1 through PR.AC-P6 | Implemented | Authentication, account ownership, administrator authorization, least privilege, access review, offboarding, provider MFA for administrative accounts, and vendor-dashboard access controls limit access to authorized personnel and systems. |
| PR.DS-P: Data Security | PR.DS-P1 through PR.DS-P8 | Implemented with provider-managed components | Data at rest and in transit are protected through managed cloud encryption, HTTPS, HSTS, and field-level encryption for selected restricted values. Production and non-production environments are separated. Capacity, platform resilience, and hardware integrity are provider-managed. |
| PR.MA-P: Maintenance | PR.MA-P1 through PR.MA-P2 | Provider-managed | HiringCoachAI does not operate first-party datacenters or customer-hosted appliances. Cloud infrastructure maintenance is handled by managed providers; application changes follow Change Management and SDLC procedures. |
| PR.PT-P: Protective Technology | PR.PT-P1 through PR.PT-P4 | Implemented with provider-managed components | Removable media is restricted by policy. Least-functionality expectations, managed DNS/security edge, hosting protections, logging, backup, and recovery controls support resilience and protective technology outcomes. |
Partial-Coverage Notes
| Area | Current limitation | Current handling |
|---|---|---|
| ISO 27701 | ISO 27701 certification has not been pursued. | HiringCoachAI uses the NIST Privacy Framework v1.0 as the privacy-framework mapping baseline for HECVAT PDOC-02. |
| NIST Privacy Framework certification | NIST Privacy Framework is a voluntary framework and does not itself provide certification. | This document is a self-assessment mapped to current controls and evidence. |
| Granular processing permissions | User privacy choices exist for consent-gated analytics/marketing and data-subject rights, but every data element does not carry a machine-readable processing-permission object. | Data processing is constrained through Privacy Policy, Cookie Policy, account export/deletion, DPA terms, data minimization, vendor registry review, and retention controls. |
| Advanced de-identification and privacy-preserving computation | The core product must process identifiable career content to deliver resume, job-search, and coaching workflows. | The program uses user-scoped authorization, minimization, retention controls, encryption, vendor review, and consent controls rather than claiming universal de-identification. |
| Detailed data lineage and disclosure records | Current records identify vendors, processing purposes, and data categories, but not a per-field downstream lineage ledger for every individual record. | Data Map, Sub-Processors List, DPA Register, audit logs, and vendor-risk reviews provide current disclosure and processing evidence. |
| Provider-managed physical, hardware, and platform controls | HiringCoachAI does not operate first-party datacenters, physical servers, or network appliances. | Google Cloud, Firebase, Vercel, Cloudflare, Stripe, and other providers operate these controls under vendor terms and security programs reviewed through vendor risk management. |
Maintenance
The Privacy Officer reviews this mapping at least annually and when any of the following occurs:
- A new category of personal data is collected.
- A new sub-processor receives personal data.
- A material AI, analytics, or user-rights workflow changes.
- A new privacy law or customer DPA obligation materially changes the program.
- NIST finalizes a new Privacy Framework version.
References
- NIST Privacy Framework v1.0, "A Tool for Improving Privacy through Enterprise Risk Management," January 2020.
- NIST Privacy Framework v1.0 Core workbook.
- NIST Privacy Framework 1.1 Initial Public Draft materials, monitored for final publication.
Change Log
| Date | Change |
|---|---|
| 2026-05-12 | Initial NIST Privacy Framework v1.0 mapping created for HECVAT PDOC-02. |