GRC CareersConnecting Talent and Trust. Post a Job Log in

Trust and Governance Disclosure

Last updated: June 13, 2026

GRC Careers (ai-governance-jobs.com) operates a job board and public petition platform for the governance, risk, compliance, privacy, and AI security community. Our users read disclosures like this one as part of their professional work, so this page is written in operational terms, not marketing terms. It documents how we handle listings, candidate data, and signature data, and how our practices map to recognized governance frameworks. It states what we do, what we do not do, and where each commitment is enforced.


1. Human in the Loop Verification (HITL)

Every job listing on GRC Careers is reviewed and approved by a human administrator before it appears in the public index. There is no exception to this control.

  • No direct-to-board automation. Automated feeds, bulk scrapers, and third-party ingests have no write path to the live board. They cannot publish a listing to the public index under any condition.
  • Manual approval is mandatory. Every listing enters a pending queue. A platform administrator visually inspects it and approves it by hand before it is published.
  • What the inspection catches. The review removes ghost jobs (roles that are not real or no longer open), expired listings, and malicious or misdirected apply links before any user can see or click them.

This produces a smaller board than an automated scraper board, by design. Every role a user sees has passed through a person.

2. Data Lifecycle and Zero Shadow Profiles

We collect the minimum data required to operate a job alert, an employer account, or a petition signature, and we hold it under a defined retention standard.

  • One-click removal. When a candidate or signer uses our removal tool, their name, email, and associated history are permanently deleted from active production databases within 72 hours.
  • Deletion, not deactivation. Removal purges the record. We do not move it to an archive, a flag, or a soft-deleted state that quietly retains the underlying identity.
  • No shadow profiles. We do not build hidden data caches, behavioral tracking logs, or secondary profiles about our users. We maintain an absolute zero shadow profile policy: if it is not the account, alert, or signature you gave us, it does not exist on our systems.
  • No sale or licensing. We do not sell, rent, or license user data to data brokers, advertisers, or model trainers.

3. Active Anti-Scraping Defenses

A platform that asks compliance professionals to trust it with their data has to defend that data at the infrastructure layer.

  • Bot detection and shielding. The platform runs behind active bot-detection and web-shielding layers engineered to block third-party automated harvesters from scraping user history or signature data.
  • No fuel for model training. These defenses specifically target the bulk collection of signer and candidate information for ingestion into AI training sets.
  • Signatures masked by default. Public petition signatures are masked unless a signer explicitly opts in to public display. A signer who does not opt in appears as a partial name and sector (for example, "Sarah M., AI Risk Manager, Healthcare"), never a full name, exact employer, or email address. This defeats automated directory crawling of our signer base.

4. Regulatory and Framework Alignment

Our operations are built to reflect the core principles of the governance standards our users work under. The statements below describe alignment with the principles of these frameworks and statutes. They are descriptions of operating practice, not claims of formal certification or legal compliance opinions. The common thread is that our Human in the Loop model removes the automated ranking, filtering, and scoring layer that most of these laws are written to regulate, which helps the employers who post with us navigate and comply with these statutes on our platform.

  • NIST AI Risk Management Framework: Our human approval control and our published data practices map to the framework's Govern and Manage functions: documented oversight, named risks (ghost jobs, malicious links, data misuse), and a human accountable for every published decision.
  • ISO/IEC 42001: We structure platform operations consistent with this standard's emphasis on documented governance, human oversight of automated processes, and transparency to affected individuals.
  • New York City Local Law 144: We do not operate an automated employment decision tool (AEDT). We do not rank, score, or screen candidates with an algorithm, meaning the independent bias audits, city agency enforcement reviews, and 10-day candidate notice mandates governed by this law do not apply to our platform operations.
  • Illinois Artificial Intelligence Video Interview Act and HB 3773: Effective in 2026, Illinois requires strict notice and consent if AI is used to screen resumes, direct targeted job advertisements, or analyze video interviews. Because we rely entirely on text-based listings and human review, we hold no biometric data and run no automated screening filters.
  • Texas Responsible Artificial Intelligence Governance Act (TRAIGA): This act mandates meaningful human oversight and risk management to eliminate algorithmic discrimination for entities doing business in Texas. Our core architecture is built entirely on human validation, directly supporting these oversight requirements.
  • Colorado AI Act (SB 205): This statute classifies automated employment systems as high-risk AI deployments, requiring developers and employers to prevent algorithmic discrimination and provide conspicuous pre-use notices. We eliminate the high-risk automated layer entirely by providing an unmanipulated feed of verified jobs.
  • Maryland Labor and Employment Section 3-717: This law strictly regulates the use of facial recognition services during pre-employment interviews. Our platform handles text-based postings only and holds no video or facial template data whatsoever.
  • Washington AI Task Force (ESSB 5838): Administered by the Attorney General to monitor algorithmic discrimination and workplace impacts, our proactive privacy controls and candidate data pledge align directly with the state's legislative and transparency goals.

5. Data Chain of Custody (Controller and Processor)

To keep data subject rights clear under GDPR, CCPA/CPRA, and comparable frameworks, our chain of custody is delineated as follows:

  • Platform account data. For data required to create a GRC Careers account, run a job alert, or sign the pledge, GRC Careers LLC acts as the Data Controller.
  • Application data. When a candidate applies to a specific posting, the hiring employer becomes the Data Controller of that application. In that transaction GRC Careers acts strictly as a Data Processor facilitating the transfer. Requests to delete application data held by an employer must be directed to that employer.

6. Global Jurisdiction and Cross-Border Governance

Because GRC Careers can be reached globally, we operate under a unified compliance architecture modeled after the strictest data and AI frameworks (including the EU GDPR, the EU AI Act, Canada's AIDA, and California's CPRA).

  • Algorithmic fairness footprint. Because our platform mandates human in the loop processing and prohibits standalone algorithmic sorting, the automated decision-making rules emerging across U.S. states (ADMT rules) regulate a layer we do not operate.

Exercising Your Rights

To remove your data, to ask what we hold about you, or to report a listing, use the on-site removal tool or contact privacy@ai-governance-jobs.com. For formal data subject access requests (DSARs) you may also reach our data privacy contact at contact@ai-governance-jobs.com. We respond to verified requests within the 72 hour standard stated above.