Table of Contents

Information Security Roles and Responsibilities

Policy Overview

Qwestly is committed to protecting customer data and business assets by defining clear security responsibilities across all roles. This policy supports SOC 2 Type II compliance and reflects our values of trust, privacy, and operational excellence in our AI-powered hiring marketplace.

Scope

Applies to all Qwestly employees, contractors, systems, and business processes involving information security, data protection, and AI/ML governance.

Executive Leadership

CEO (Adam Boender)

Primary Responsibilities:

Owns overall security program strategy and regulatory compliance
Approves security policies, budgets, and strategic security investments
Leads business risk decisions and external stakeholder communication
Serves as executive sponsor for SOC 2, GDPR, and customer security programs

Customer & External Relations:

Primary contact for customer security reviews and executive-level security discussions
Manages security-related customer communications during incidents
Interfaces with board, investors, and legal counsel on security matters
Approves security terms in customer contracts and vendor agreements

Backup: CTO (for customer communications and strategic decisions)

CTO (Dominick Pham)

Primary Responsibilities:

Leads day-to-day security operations and technical implementation
Designs and maintains security architecture for all systems and applications
Oversees threat detection, vulnerability management, and incident response
Manages technical aspects of vendor security assessments

Technical Leadership:

Implements and maintains cloud security, network controls, and application security
Coordinates security testing, penetration tests, and vulnerability assessments
Manages security tooling, monitoring, and alerting systems
Leads technical incident response and system recovery efforts

Backup: CEO (for strategic decisions) + Senior Engineer (for technical implementation)

Specialized Security Roles

Data Protection Officer (DPO) - CTO

Regulatory Compliance:

Ensures compliance with GDPR, CCPA, FCRA, and hiring-specific data regulations
Manages data subject requests (access, deletion, portability)
Conducts privacy impact assessments for new features and data processing
Maintains data processing records and privacy notices

Data Governance:

Oversees data classification, retention, and disposal policies
Reviews AI training data sources and usage rights
Manages cross-border data transfer agreements and adequacy decisions

Backup: CEO (for regulatory communications) + External Legal Counsel

Security Officer - CTO

Compliance & Risk Management:

Maintains SOC 2 compliance program and coordinates annual audits
Owns policy management, reviews, and updates
Conducts internal security audits and risk assessments
Manages security awareness training program and tracks completion

Third-Party Risk:

Leads vendor security assessments and due diligence
Maintains vendor risk register and monitors ongoing compliance
Reviews and approves security terms in vendor contracts

Backup: CEO (for vendor approvals and compliance decisions)

Customer Security Liaison - CEO (Primary) / CTO (Technical)

Customer Relations:

Responds to customer security questionnaires and RFPs
Coordinates customer security audits and assessments
Manages security aspects of customer onboarding and requirements
Maintains customer-facing security documentation and certifications

Communication & Transparency:

Provides security updates and breach notifications to customers
Manages security-related customer support escalations
Coordinates penetration testing schedules and results sharing

Engineering & Operations

Application/System Owners (Engineering Team)

System Security:

Maintain security and uptime of owned applications and services
Implement secure coding practices and conduct security testing
Manage application-level access controls and authentication
Coordinate with CTO on logging, monitoring, and incident response

Data & Encryption:

Implement data encryption in transit and at rest
Manage application secrets and API key security
Ensure secure data handling and processing in owned systems

Backup Assignment: Cross-training between engineering team members for critical systems

DevSecOps Lead - Senior Engineer

Secure Development:

Maintains security of CI/CD pipelines and development environments
Conducts security code reviews and dependency scanning
Manages development/production environment separation
Implements security testing in deployment pipelines

Infrastructure Security:

Monitors cloud infrastructure security and compliance
Manages container and application security scanning
Coordinates security patching and vulnerability remediation

AI/ML Security & Governance

AI Security Lead - CTO

Data Governance:

Approves AI training data sources and validates data rights
Monitors data quality and implements bias detection protocols
Maintains audit trails for AI decision-making processes
Ensures compliance with AI transparency requirements

Model Security:

Implements model security and prevents unauthorized access
Monitors for model bias and implements correction procedures
Manages AI model versioning and rollback capabilities
Coordinates AI-related incident response and model updates

Ethics & Transparency:

Reviews AI use cases for ethical implications and bias risks
Maintains documentation for AI decision explainability
Notifies customers about AI-driven decisions per regulatory requirements

All Personnel Responsibilities

Employees (All Staff)

Security Hygiene:

Follow all security policies and complete required training (annual minimum)
Use strong passwords/passphrases and enable MFA on all accounts
Report security incidents and suspicious activities immediately
Secure physical devices and handle sensitive data appropriately

Ongoing Obligations:

Participate in security awareness training and phishing simulations
Report policy violations and security concerns without retaliation
Maintain current emergency contact information for security escalations

Contractors & Consultants

Access & Compliance:

Complete security training before system access (within 5 business days)
Comply with all Qwestly security policies and data handling requirements
Limit access to authorized systems only and follow least-privilege principles
Sign confidentiality and data protection agreements before engagement

Incident Response Structure

Incident Commander - CTO

Technical Response (0-1 hour):

Leads initial assessment, containment, and impact analysis
Coordinates technical investigation and evidence preservation
Manages system recovery and service restoration
Documents technical timeline and root cause analysis

Business Lead - CEO

Business Response (1-4 hours):

Manages external communications and stakeholder notifications
Coordinates customer, regulatory, and legal notifications
Handles media relations and public communications if required
Makes business continuity and operational decisions

Joint Escalation Triggers:

Immediate (0-30 minutes): Customer data exposure, system outages, security tool alerts
1 Hour: Potential regulatory notification required, customer impact confirmed
4 Hours: Multi-system impact, extended outage, or media/legal attention

Emergency Contacts:

Primary: CTO Mobile, CEO Mobile, security@qwestly.com
Backup: External legal counsel, cyber insurance carrier, key customers (if applicable)

Vendor & Customer Interface

Vendor Security Management

Pre-Approval Process (CTO leads, CEO approves):

Security assessment for all vendors with data or system access
Review of vendor SOC 2 reports, security certifications, and policies
Approval of data processing agreements and security terms
Ongoing monitoring of vendor security posture and incident notifications

Customer Security Interface

Proactive Engagement (CEO leads, CTO supports):

Quarterly security updates to enterprise customers
Annual penetration testing with results sharing (summary level)
Security roadmap presentations for strategic accounts
Customer security advisory board participation

Performance & Accountability

Security Metrics (Monthly Reporting)

Operational Metrics:

Security training completion rates (target: 100% within 30 days)
Incident response times (target: <1 hour initial response)
Vulnerability remediation times (critical: 72 hours, high: 7 days)
Access review completion (quarterly, 100% completion)

Compliance Metrics:

Policy review and update status
Vendor security assessment completion
Customer security questionnaire response times
Audit finding remediation progress

Quarterly Reviews

Security Effectiveness Assessment:

Joint CEO/CTO review of security metrics and incidents
Risk register updates and mitigation progress
Security tool effectiveness and ROI analysis
Training effectiveness and awareness improvements

Annual Assessments

Strategic Security Review:

Security program maturity assessment
Compliance gap analysis and remediation planning
Security budget planning and technology roadmap
Third-party security audit results and action planning

Backup & Succession Planning

Critical Function Coverage

Primary/Backup Assignments:

Security Officer: CTO (primary) → CEO (backup) → External Security Consultant
Incident Commander: CTO (primary) → Senior Engineer (backup) → CEO (emergency)
Customer Security: CEO (primary) → CTO (backup) → External Relations Consultant
DPO Functions: CTO (primary) → External Legal Counsel (backup)

Emergency Procedures

Unavailability Protocols:

24/7 contact information maintained for CEO and CTO
Backup communication channels: personal mobile, Signal, emergency email
Decision-making authority matrix for different scenario types
Customer communication templates for various incident severities

Training & Awareness

Security Training Program (CTO-led)

Onboarding (Within 5 business days):

General security awareness and policy overview
Role-specific security training (engineering, customer-facing, admin)
Hands-on MFA setup and password manager configuration
Emergency contact and incident reporting procedures

Ongoing Training (Annual minimum):

Updated security awareness covering current threats
Phishing simulation exercises (quarterly)
Incident response tabletop exercises (semi-annual)
AI/ML security and bias awareness (for relevant roles)

Specialized Training:

Engineering: Secure coding, vulnerability assessment, incident response
Customer-facing: Data protection, customer security communication
Leadership: Risk management, regulatory compliance, crisis communication

Document Management & Change Control

Version Control

Change Management Process:

Proposed Changes: Any employee can suggest policy updates via security@qwestly.com
Review: CTO reviews technical changes, CEO reviews business impact
Approval: Joint CEO/CTO approval required for material changes
Communication: All staff notified of changes within 5 business days
Training: Updated training provided if role responsibilities change

Review Schedule

Regular Reviews:

Quarterly: Metrics review and minor updates (CTO-led)
Annual: Comprehensive policy review and major updates (CEO/CTO joint)
Triggered: After security incidents, organizational changes, or regulatory updates

Regulatory Compliance Framework

Applicable Regulations

Primary Compliance Obligations:

SOC 2 Type II (annual audit cycle)
GDPR (EU data subjects and operations)
CCPA (California residents and business)
FCRA (employment screening and background checks)
State and federal hiring data protection laws

Legal & Regulatory Interface

External Support:

Legal counsel engaged for incident response, contract reviews, and regulatory guidance
Cyber insurance carrier coordination for covered security events
External auditors for SOC 2 and specialized compliance assessments

Contact Information

Primary Contacts:

General Security: security@qwestly.com
Executive Escalation: adam@qwestly.com (CEO), dominick@qwestly.com (CTO)
Customer Security: security@qwestly.com (first response), adam@qwestly.com (escalation)
Incident Reporting: security@qwestly.com (monitored 24/7 via alert system)

External Resources:

Legal Counsel: [To be populated with firm contact information]
Cyber Insurance: [To be populated with carrier and claim contact information]
External Security Advisor: [To be populated if/when engaged]

Document History

Version	Date	Description	Written by	Approved by
1.0.0	6/13/25		Dominick Pham	Adam Boender

_private/qwestly-docs/Policies/Information Security Roles and Responsibilities.md