Qwestly Data Management Policy

Purpose

• Ensure information is classified, protected, retained, and securely disposed of based on its sensitivity and legal requirements.
• Align with Qwestly's privacy promise: anonymous profiles, user control, and no identity sharing without consent.
• Maintain compliance with GDPR, CCPA, SOC 2, and employment-related data protection laws.

Scope

• Applies to all Qwestly data and information systems.
• Includes candidate, customer, internal, AI/ML, and vendor data.
• Covers the full data lifecycle: collection to disposal.

Policy Statement

• Data and systems are classified based on legal, business, and security needs.
• Processing activities must have a documented legal basis and honor privacy rights.
  Information systems are classified by the highest sensitivity of data they handle.

Regulatory Compliance Requirements

• GDPR: Legal basis, rights management, DPIAs, consent tracking, cross-border safeguards.
• CCPA: Notice, access, deletion, opt-out, non-discrimination.
• Employment Data Laws: EEOC, FCRA, I-9, wage/hour laws.
• SOC 2: Annual audits, penetration testing, encryption in transit and at rest.

Data Processing Principles

• Purpose limitation: Data is used only for stated reasons (e.g. matching jobs).
• Minimization: We only collect what's needed.
• Accuracy: Keep data updated.
• Storage limitation: Data auto-deleted after expiration.
• Accountability: Full audit trails and documentation.

Data Classification

• Confidential: Includes full candidate profiles, identity info, financials, AI models. Only accessible with CEO/CTO approval.
• Restricted: Internal policies, reports, contracts, Slack messages. Access limited to job need.
• Public: Job postings, marketing, website content.

Qwestly-Specific Data Handling

• Anonymous profiles: Default candidate view for companies. Identity is shown only with explicit consent.
• AI Matching: No personal data is stored in AI models. Matching is opt-out.
• User Review: Candidates are responsible for reviewing/editing their anonymous profile before it becomes visible.

Third-Party Sharing

• Customers: See anonymized profiles. Identity revealed only with candidate's permission.
• Vendors: Must sign Data Processing Agreements (DPAs). Security is verified.
• International transfers: Use SCCs and lawful bases.

Data Subject Rights

• Access: Download your data (JSON/CSV) within 30 days.
• Correction: Self-edit or request updates.
• Deletion: One-click deletion processed in 30 days unless law requires retention.
• Portability: Export your profile.
• Opt-out: Withdraw consent or disable matching features.

Data Retention & Disposal

Data Type	Retention Period	Justification
Active profiles	While active	Provide services
Inactive profiles	3 years	For reactivation
Interview data	3 years	Improve experience
Anonymous usage	Up to 3 years	Platform improvement
Financial data	7 years	Legal requirement
Background checks	2 years or by law	Legal requirement
AI training (anonymized)	7 years	Improve models
Consent records	10 years	Legal compliance

• Auto-delete mechanisms applied after retention.
• Secure deletion: Digital wiping and shredding printouts.

AI Governance

• Training data is anonymized and documented.
• AI models are regularly tested for fairness and accuracy.
• Users are informed when AI is used.
• Human review is available upon request.

Breach Response

• Within 4 hours: Contain and notify CTO/CEO.
• Within 24 hours: Investigate and log issue.
• Within 72 hours: Notify regulators (if needed).
• Within 30 days: Inform individuals.
• Review and document incident.

Remote Work & Contractors

• Encrypted access, VPN required for sensitive info.
• Least-privilege access model enforced.

Annual Review & Enforcement

• Policy reviewed yearly.
• Violations may result in access loss, disciplinary action, or legal steps.
• Anonymous reporting via conduct@qwestly.com.

Document History

Version	Date	Description	Written by	Approved by
1.0.0	6/13/25	Initial version	Adam Boender	Dominick Pham
1.1.0	6/25/25	Privacy-aligned updates	Adam Boender	Dominick Pham