WRKROOT Incident Response And Data Breach Policy

Last updated: May 3, 2026

1. Policy Objectives

WRKROOT's incident response objectives are to:

• Receive and evaluate suspected incidents.
• Protect users, clients, talent, WRKROOT systems, and platform data.
• Contain and investigate suspected unauthorized activity.
• Preserve relevant evidence and logs.
• Coordinate with vendors and service providers where needed.
• Assess legal, contractual, security, operational, and business impact.
• Determine whether notice is required by law, contract, BAA, or WRKROOT's severity-based judgment.
• Remediate and reduce recurrence risk where practical.

No policy can prevent every incident or guarantee a particular response outcome.

2. Security Incident Contact

Suspected security incidents, account compromise, vulnerability reports, unauthorized access, suspicious activity, or data exposure may be reported to:

Security: info@wrkroothr.com Support: info@wrkroothr.com Legal: info@wrkroothr.com

Reports should include enough detail for WRKROOT to investigate, such as account names, timestamps, URLs, screenshots, logs, message IDs, ticket IDs, invoice numbers, affected records, suspected source, and contact information.

3. Examples Of Reportable Events

Reportable events may include:

• Suspected unauthorized account access.
• Stolen, compromised, or shared credentials.
• Phishing or social engineering targeting WRKROOT users.
• Malware, ransomware, or suspicious files.
• Unauthorized access to platform data.
• Unauthorized disclosure of client, talent, billing, contract, credential, assessment, attendance, KPI, support, or account data.
• Lost or stolen devices containing WRKROOT data.
• Misdelivered files or communications.
• Accidental exposure of personal information.
• Suspicious admin activity.
• Abuse of permissions.
• Vendor or service provider incidents.
• Payment or billing data exposure.
• Suspected PHI exposure in approved healthcare/BAA workflows.
• Vulnerabilities that could affect WRKROOT systems.

Staff, contractors, admins, recruiters, and service providers must report suspected incidents immediately, even if they are unsure whether an incident has occurred.

4. Severity Classification

WRKROOT may classify incidents by severity based on available information and business judgment.

Severity levels may include:

• Low: Limited issue with minimal or no apparent impact to confidentiality, integrity, availability, users, clients, talent, or WRKROOT operations.
• Medium: Issue with potential or limited impact, possible unauthorized access, limited data exposure, or operational disruption requiring review and remediation.
• High: Significant suspected or confirmed unauthorized access, data exposure, service disruption, account compromise, vendor impact, legal risk, client/talent impact, or security concern.
• Critical: Severe suspected or confirmed compromise, widespread data exposure, ransomware, major service disruption, active exploitation, significant legal/regulatory risk, PHI/BAA impact, payment data risk, or material business impact.

Severity may change as WRKROOT learns more during investigation.

5. Incident Response Process

WRKROOT's response may include:

• Intake and logging.
• Initial triage.
• Severity classification.
• Containment.
• Access restriction or account reset.
• Evidence and log preservation.
• Investigation.
• Vendor/provider coordination.
• Impact assessment.
• Legal and contractual review.
• Client, user, regulator, law enforcement, payment provider, or BAA notice assessment.
• Remediation.
• Recovery.
• Monitoring.
• Post-incident review.

WRKROOT may adapt the response process based on incident type, severity, provider dependencies, affected data, legal requirements, contractual requirements, BAA obligations, and operational circumstances.

6. Breach Determination

Not every security incident is a legal "data breach."

Only designated WRKROOT leadership, legal, security, or other authorized decision-makers may determine whether an event is legally a breach requiring notice.

Breach determinations may consider:

• Type of data involved.
• Whether data was encrypted, protected, redacted, or otherwise unreadable.
• Whether data was actually acquired, accessed, disclosed, or misused.
• Number and type of affected individuals, clients, talent, or records.
• Likelihood of harm.
• Legal definitions and thresholds.
• Contractual obligations.
• BAA obligations.
• Regulatory guidance.
• Vendor information.
• Forensic findings.
• Mitigation steps.
• Severity.

WRKROOT may continue investigating after an initial determination and may update the determination if new information becomes available.

7. Evidence Preservation

During incident review, WRKROOT may preserve relevant evidence, including:

• Logs.
• Account records.
• IP addresses.
• User agents.
• Device/browser metadata.
• Admin actions.
• Support tickets.
• Email records.
• Contract records.
• Billing records.
• File metadata.
• Access records.
• Vendor communications.
• User/client/talent communications.
• Screenshots or other evidence.

Users, staff, contractors, admins, and vendors must not delete, alter, conceal, overwrite, destroy, or modify relevant records after becoming aware of a suspected incident unless authorized by WRKROOT.

Deletion requests may be suspended during incident investigation, legal hold, dispute, audit, regulatory request, litigation threat, or security review.

8. Vendor And Service Provider Incidents

If an incident involves a vendor, hosting provider, payment provider, email provider, storage provider, electronic signature provider, analytics provider, support provider, verification provider, or other service provider, WRKROOT may:

• Request incident details from the vendor.
• Request containment and remediation steps.
• Review affected systems, records, and data categories.
• Assess contractual obligations.
• Assess legal and notice obligations.
• Coordinate response actions.
• Preserve vendor communications.
• Suspend or restrict affected integrations where appropriate.
• Consider replacement, remediation, or additional safeguards.

WRKROOT's ability to investigate vendor incidents may depend on vendor cooperation, vendor logs, contractual rights, and technical access.

9. Healthcare, PHI, And BAA Incidents

WRKROOT may support healthcare customers where talent may access or handle PHI within customer systems or approved workflows.

Suspected incidents involving PHI or BAA-covered workflows should be escalated to legal/security as appropriate.

WRKROOT will handle PHI/BAA-related incidents according to applicable law, the applicable BAA, customer instructions, and the facts of the incident.

WRKROOT does not assume HIPAA breach-notification obligations beyond those required by law, written agreement, or applicable BAA.

Healthcare customers remain responsible for their own systems, access controls, training, supervision, PHI handling, and breach-notification obligations unless a written agreement states otherwise.

10. Notifications

WRKROOT may notify affected users, clients, talent, vendors, payment providers, regulators, law enforcement, or other parties when WRKROOT determines notice is required by law, contract, BAA, or severity-based business judgment.

Notice timing, content, recipients, and method may depend on:

• Applicable law.
• Contract terms.
• BAA terms.
• Severity.
• Investigation status.
• Risk of harm.
• Law enforcement guidance.
• Regulatory requirements.
• Vendor information.
• Availability of accurate contact information.
• Need to avoid increasing security risk.

WRKROOT may delay notice where permitted or required to support investigation, containment, law enforcement needs, legal review, or accurate communication.

11. Law Enforcement, Regulators, And External Reporting

WRKROOT may contact or cooperate with law enforcement, regulators, CISA, payment providers, hosting providers, insurers, legal counsel, forensic providers, or other parties where required or where WRKROOT determines it is appropriate.

WRKROOT may voluntarily report certain cyber incidents where WRKROOT determines voluntary reporting is useful or appropriate.

Only authorized WRKROOT personnel may make external reports or official statements.

12. Centralized Communications

External incident communications must be centralized.

Staff, contractors, admins, recruiters, users, and service providers must not independently contact clients, talent, regulators, law enforcement, media, payment providers, vendors, or the public about an incident unless authorized by WRKROOT.

This helps protect investigation integrity, avoid inaccurate statements, reduce legal risk, and ensure consistent communications.

13. User And Client Responsibilities

Users and clients are responsible for:

• Promptly reporting suspected incidents.
• Keeping contact information current.
• Protecting credentials.
• Using MFA where available.
• Avoiding account sharing.
• Following WRKROOT instructions during investigation.
• Preserving relevant evidence.
• Avoiding unauthorized public statements.
• Cooperating with reasonable investigation requests.
• Securing their own systems, accounts, devices, networks, and workflows.

Clients remain responsible for their own legal, regulatory, customer, healthcare, HIPAA, employment, tax, security, and industry obligations unless a written agreement states otherwise.

14. Remediation And Post-Incident Review

After an incident, WRKROOT may take remediation steps such as:

• Password resets.
• MFA enforcement.
• Account suspension.
• Access restriction.
• Token/key rotation.
• Vendor remediation.
• Configuration changes.
• Patch or code changes.
• Additional monitoring.
• Policy updates.
• Training or reminders.
• Record preservation.
• Legal or contractual action.

WRKROOT may conduct a post-incident review based on severity, business impact, legal requirements, and operational needs.

15. Changes To This Policy

WRKROOT may update this Policy from time to time. The updated version will be indicated by the "Last updated" date above. WRKROOT may provide notice through the website, platform, email, in-app notification, dashboard notice, or another reasonable method.

Your continued access to or use of WRKROOT after an updated Policy becomes effective means you accept the updated Policy.

16. Contact

Security incident reports or questions may be sent to:

WRKROOT HR SOLUTIONS LLC, 30 N Gould St Ste N, Sheridan, SHERIDAN COUNTY, WY 82801 USA Security: info@wrkroothr.com Support: info@wrkroothr.com Legal: info@wrkroothr.com