WRKROOT Information Security Policy

Last updated: May 3, 2026

1. Security Objective

WRKROOT seeks to use reasonable administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of platform information.

Security is a shared responsibility between WRKROOT, users, clients, talent, admins, service providers, and other authorized participants. No system, service, provider, software, network, or process can be guaranteed to be completely secure.

This Policy does not create a guarantee, warranty, service-level commitment, insurance obligation, or absolute security promise.

2. Information Covered

This Policy applies to information processed through WRKROOT, including:

• Account records.
• Identity and contact information.
• Talent profiles.
• Client profiles.
• Company information.
• Hiring requests.
• Credentials.
• Assessments.
• Contracts.
• Electronic signatures.
• Billing records.
• Payment method metadata.
• Attendance records.
• Time off and holiday records.
• KPI/productivity records.
• Support tickets.
• Notifications.
• Email records.
• Uploaded files.
• Audit logs.
• Admin notes.
• Security records.

3. Access Control

WRKROOT uses role-based access controls and business-need access principles to limit access to platform records.

Access to sensitive records should be limited based on role and authorized business need, including:

• Billing records.
• Payment method metadata.
• Contracts.
• Electronic signatures.
• Credentials.
• Assessments.
• Attendance records.
• KPI records.
• Support internal notes.
• Account controls.
• Admin notes.
• Security logs.
• Healthcare/BAA-related records where applicable.

WRKROOT may review, modify, restrict, suspend, or revoke access where appropriate.

4. Admin, Staff, And Contractor Security Responsibilities

Admins, recruiters, staff, contractors, and other authorized personnel must:

• Use strong passwords.
• Use MFA where available.
• Keep credentials confidential.
• Avoid shared accounts.
• Access only records needed for authorized business purposes.
• Protect confidential information.
• Avoid downloading or exporting platform data except for authorized business needs.
• Avoid storing WRKROOT data in unauthorized personal accounts, devices, drives, or tools.
• Report suspected account compromise, unauthorized access, lost devices, suspicious activity, phishing, malware, or security incidents promptly.
• Follow WRKROOT security, privacy, confidentiality, access-control, and acceptable-use requirements.

WRKROOT may suspend or revoke access for personnel who violate security requirements or create security risk.

5. Audit Logging And Monitoring

WRKROOT may log, monitor, review, and audit access to platform records, including admin/staff access, account controls, contract actions, credential review, billing actions, support activity, attendance review, assessment review, notifications, and other operational workflows.

Audit logs may be used for:

• Security monitoring.
• Fraud prevention.
• Abuse detection.
• Operational accountability.
• Dispute resolution.
• Legal defense.
• Compliance.
• Client/talent safety.
• Marketplace integrity.
• Incident response.

Audit logs may be retained according to the Data Retention And Deletion Policy.

6. Data Protection Safeguards

WRKROOT seeks to protect data using reasonable safeguards appropriate to the type of information, platform maturity, service provider capabilities, and business risk.

Safeguards may include:

• Access controls.
• Authentication controls.
• MFA where available.
• Password hashing.
• Encryption in transit.
• Encryption at rest where supported by providers.
• Secure file storage practices.
• Provider access controls.
• Administrative access limits.
• Audit logs.
• Backups.
• Security monitoring.
• Secure configuration practices.
• Vulnerability review and remediation where practical.
• Data minimization and retention controls.
• Incident response procedures.
• Vendor review where practical.

WRKROOT may update safeguards as the platform, providers, risks, legal requirements, and business operations evolve.

7. Cloud, Hosting, And Vendor Security

WRKROOT may use cloud, hosting, storage, database, email, payment, electronic signature, analytics, support, verification, and other service providers.

Likely hosting/cloud provider: to be finalized.

WRKROOT will seek to use reputable cloud and service providers and review vendor security where practical, based on the provider's role, sensitivity of data, available documentation, contractual terms, security posture, and WRKROOT's business needs.

Service providers may maintain their own security programs, certifications, infrastructure, subprocessors, controls, terms, and incident processes.

WRKROOT is not responsible for third-party provider failures except where required by law or a written agreement.

8. Backups And Recovery

WRKROOT should maintain backups or disaster recovery processes appropriate to the platform's needs and provider capabilities.

Backup access should be restricted to authorized personnel or providers with a business need.

Backup retention, deletion, and preservation are governed by the Data Retention And Deletion Policy.

Backups may be retained, deleted, overwritten, archived, or restored according to provider tools, operational needs, legal holds, security incidents, disaster recovery requirements, and business continuity needs.

9. Data Downloads, Exports, And Local Storage

Staff, contractors, admins, and other authorized personnel must not download, export, copy, transfer, print, or locally store platform data unless authorized for a legitimate business purpose.

Where downloads or exports are necessary, personnel must:

• Limit the data to what is needed.
• Store it securely.
• Avoid unauthorized personal devices or accounts.
• Delete or return it when no longer needed, unless retention is required.
• Protect it from unauthorized access, disclosure, loss, or misuse.

WRKROOT may restrict export tools, review export activity, or revoke access where appropriate.

10. Healthcare, HIPAA, And BAA Safeguards

WRKROOT may support healthcare customers where talent may access or handle PHI within customer systems or approved workflows.

Healthcare/BAA-related workflows require additional care, including:

• Limiting access to authorized users.
• Applying minimum necessary principles where applicable.
• Avoiding PHI uploads unless expressly approved through an authorized workflow.
• Escalating PHI-related workflows to legal/security before implementation where appropriate.
• Following applicable BAA terms.
• Following customer instructions, access controls, and security requirements.
• Reporting suspected PHI incidents promptly.
• Maintaining appropriate administrative, technical, and organizational safeguards.

Healthcare customers remain responsible for determining whether HIPAA/BAA obligations apply, limiting PHI shared with WRKROOT, and ensuring their own systems, workflows, training, supervision, and compliance controls are appropriate.

11. Vulnerability And Security Issue Handling

WRKROOT may review, triage, and remediate reported vulnerabilities or security issues based on severity, exploitability, business risk, legal obligations, available resources, provider dependencies, and platform priorities.

Users, researchers, clients, talent, and third parties should not conduct vulnerability scanning, penetration testing, scraping, probing, exploitation, social engineering, or security testing without WRKROOT's prior written authorization.

Suspected vulnerabilities or security issues may be reported to info@wrkroothr.com.

Reports should include enough detail for WRKROOT to understand and investigate the issue.

12. Incident Response

WRKROOT maintains or will maintain incident response processes appropriate to its size, platform maturity, risk profile, legal obligations, and provider environment.

Incident response may include:

• Intake and triage.
• Containment.
• Investigation.
• Evidence preservation.
• Provider coordination.
• Legal review.
• Customer or user notice where required.
• Regulatory or law enforcement notice where required.
• Remediation.
• Post-incident review.

Specific breach or incident procedures may be described in WRKROOT's Incident Response / Data Breach Policy.

13. User Security Responsibilities

Users are responsible for:

• Keeping login credentials confidential.
• Using strong passwords.
• Using MFA where available.
• Keeping email and phone contact information current.
• Logging out of shared devices.
• Avoiding credential sharing.
• Avoiding suspicious links or attachments.
• Reporting suspected unauthorized access promptly.
• Uploading only authorized, necessary, malware-free files.
• Complying with WRKROOT policies and instructions.

WRKROOT is not responsible for security incidents caused by user negligence, shared credentials, compromised user devices, unauthorized third-party access, phishing, malware on user systems, or user failure to follow security instructions, except where required by law or written agreement.

14. Security Review

WRKROOT may review and update security practices periodically based on business needs, platform changes, incidents, vendor changes, legal requirements, and risk.

Security review cadence: to be finalized.

Security practices may change over time and may differ by feature, provider, environment, customer requirement, or data category.

15. Changes To This Policy

WRKROOT may update this Policy from time to time. The updated version will be indicated by the "Last updated" date above. WRKROOT may provide notice through the website, platform, email, in-app notification, dashboard notice, or another reasonable method.

Your continued access to or use of WRKROOT after an updated Policy becomes effective means you accept the updated Policy.

16. Contact

Security issues, suspected compromise, or security questions may be sent to:

WRKROOT HR SOLUTIONS LLC, 30 N Gould St Ste N, Sheridan, SHERIDAN COUNTY, WY 82801 USA Security: info@wrkroothr.com Support: info@wrkroothr.com Legal: info@wrkroothr.com