Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Version: 1.0.0
Last Updated: 2026-02-10
Status: Active
Module: HR
Cross-References:
Overview
This document defines the mandatory compliance requirements and sign-off gates that must be satisfied before enabling Background Check (Checkr) and SMS notification features in production. Each gate requires documented approval from the designated authority before the feature can be activated for an organization.
Current Verification Status (2026-03-03)
| Area | Implementation | Sign-Off | Target |
|---|
| F-01–F-12 (FCRA) | Spec and DB/RLS in place (HR-09-P5.2); Checkr live integration not yet enabled. Tables: hr_background_checks, hr_background_check_webhook_audit. | All ☐ Pending | Gate 1 target: when HR-09-P5.2 ships (Q2 2026) |
| T-01–T-12 (TCPA) | Spec and DB/RLS in place; hr_sms_consent_logs, consent types, PHI detection pattern. SMS delivery via existing send-sms-notification edge function. | All ☐ Pending | Gate 2 target: when SMS feature enabled for orgs (Q2 2026) |
1. FCRA Compliance Requirements (Background Checks)
The Fair Credit Reporting Act (FCRA) governs how consumer reports (background checks) are obtained, used, and disclosed in employment decisions.
1.1 Pre-Screening Requirements
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| F-01 | Written Disclosure — Provide applicant a standalone written disclosure that a background check may be obtained | fcra_disclosure_document_url field on hr_background_checks | ☐ Pending | ________ |
| F-02 | Written Authorization — Obtain written consent from the applicant before ordering the report | Consent captured via Candidate Portal (HR-09-P5 Phase 5.3) with timestamped record | ☐ Pending | ________ |
| F-03 | Certification to CRA — Certify to the Consumer Reporting Agency (Checkr) that all FCRA requirements have been met | Checkr API invitation flow includes employer certification | ☐ Pending | ________ |
| F-04 | State-Specific Disclosures — Include any state-specific disclosure addenda (e.g., CA, NY, WA) | Organization-level document configuration in settings | ☐ Pending | ________ |
1.2 Adverse Action Process
The FCRA mandates a two-step adverse action process when a background check result may negatively impact an employment decision.
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| F-05 | Pre-Adverse Action Notice — Send the applicant a copy of the report, a summary of rights, and a pre-adverse action letter before making a final decision | adverse_action_notice_sent_at + adverse_action_notice_document_url fields; FCRAAdverseActionStatus = 'notice_sent' | ☐ Pending | ________ |
| F-06 | Waiting Period — Allow a reasonable waiting period (typically 5 business days) for the applicant to dispute | dispute_window_closes_at field with configurable window; system blocks final action until window expires | ☐ Pending | ________ |
| F-07 | Dispute Handling — Process applicant disputes by re-investigating through the CRA | dispute_submitted, dispute_reason, dispute_resolved_at fields; FCRAAdverseActionStatus = 'dispute_pending' → 'resolved' | ☐ Pending | ________ |
| F-08 | Final Adverse Action Notice — If decision stands after dispute window, send final adverse action notice with CRA contact info and rights summary | final_adverse_notice_sent_at + final_adverse_notice_document_url; FCRAAdverseActionStatus = 'final_notice_sent' | ☐ Pending | ________ |
| F-09 | Record Retention — Retain all FCRA-related documents per federal (1 year) and state requirements | fcra_retention_until field; retention policy enforcement | ☐ Pending | ________ |
1.3 Ongoing Obligations
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| F-10 | Data Security — Properly dispose of consumer report information | Soft-delete with fcra_retention_until expiration; no PII in logs | ☐ Pending | ________ |
| F-11 | Audit Trail — Maintain complete audit trail of all background check actions | hr_background_check_webhook_audit table; immutable webhook logs | ☐ Pending | ________ |
| F-12 | Permissible Purpose — Only obtain reports for permissible employment purposes | Application-level enforcement: checks tied to hr_applications with active status | ☐ Pending | ________ |
2. TCPA Compliance Requirements (SMS)
The Telephone Consumer Protection Act (TCPA) regulates automated text messages and requires explicit consent before sending SMS communications.
2.1 Consent Collection
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| T-01 | Express Written Consent — Obtain clear, conspicuous written consent before sending any automated SMS | hr_sms_consent_logs table with consent_given, consent_text, ip_address fields | ☐ Pending | ________ |
| T-02 | Consent Text Disclosure — Consent language must clearly describe the types of messages, frequency, and data rates | DEFAULT_CONSENT_TEXT constant; customizable per organization | ☐ Pending | ________ |
| T-03 | Consent Per Message Type — Separate consent for each category of messages | SMSConsentType enum: background_check_notifications, interview_reminders, offer_updates, general_hr | ☐ Pending | ________ |
| T-04 | Voluntary Consent — Consent cannot be a condition of employment or application | UI displays consent as optional checkbox; application proceeds regardless | ☐ Pending | ________ |
2.2 Opt-Out Mechanisms
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| T-05 | STOP Keyword — Honor “STOP” replies to immediately cease messages | opt_out_methods: 'stop_keyword'; webhook processing for inbound STOP | ☐ Pending | ________ |
| T-06 | Opt-Out Confirmation — Send a single confirmation message acknowledging opt-out | Edge function sends one final message upon STOP processing | ☐ Pending | ________ |
| T-07 | Opt-Out Record — Maintain timestamped record of all opt-outs | opted_out_at, opt_out_method fields on hr_sms_consent_logs | ☐ Pending | ________ |
| T-08 | Re-Opt-In Process — If user texts START after opting out, re-enable with fresh consent | New consent log entry created; previous opt-out record preserved | ☐ Pending | ________ |
2.3 Message Content Requirements
| # | Requirement | Implementation | Status | Sign-Off |
|---|
| T-09 | Organization Identification — Every message must identify the sending organization | Message templates include org name prefix | ☐ Pending | ________ |
| T-10 | Opt-Out Instructions — Every message must include opt-out instructions | SMS footer includes “Reply STOP to opt out” | ☐ Pending | ________ |
| T-11 | No PHI in SMS — Messages must not contain Protected Health Information | PHI detection via detectPhiInMessage utility; sms_phi_detection_mode setting | ☐ Pending | ________ |
| T-12 | Business Hours — Send messages only during appropriate hours | sms_business_hours_start/end in ce_module_settings | ☐ Pending | ________ |
3. Sign-Off Gates
Gate 1: Background Check Feature Activation
Required before: Enabling Checkr integration for any organization
Target date for sign-off: Q2 2026 (when HR-09-P5.2 ships)
| Prerequisite | Authority | Date | Signature |
|---|
| All F-01 through F-04 requirements verified | Compliance Officer | YYYY-MM-DD | ______________ |
| Adverse action workflow tested end-to-end (F-05 through F-08) | Legal Counsel | YYYY-MM-DD | ______________ |
| Audit trail and retention policies confirmed (F-09 through F-12) | Data Privacy Officer | YYYY-MM-DD | ______________ |
| Checkr webhook signature verification tested | Engineering Lead | YYYY-MM-DD | ______________ |
| State-specific disclosure review for operating states | Legal Counsel | YYYY-MM-DD | ______________ |
Gate 2: SMS Feature Activation
Required before: Enabling SMS notifications for any organization
Target date for sign-off: Q2 2026 (when SMS feature enabled for orgs)
| Prerequisite | Authority | Date | Signature |
|---|
| All T-01 through T-04 consent mechanisms verified | Compliance Officer | YYYY-MM-DD | ______________ |
| Opt-out flow tested end-to-end (T-05 through T-08) | Legal Counsel | YYYY-MM-DD | ______________ |
| Message content requirements validated (T-09 through T-12) | Compliance Officer | YYYY-MM-DD | ______________ |
| PHI detection rules reviewed and tested | Data Privacy Officer | YYYY-MM-DD | ______________ |
| Carrier registration (10DLC/A2P) completed | Engineering Lead | YYYY-MM-DD | ______________ |
Gate 3: Per-Organization Activation
Required before: Enabling features for each new organization/tenant
| Prerequisite | Authority | Date | Signature |
|---|
| Organization-specific disclosure documents uploaded | Org Admin | YYYY-MM-DD | ______________ |
| State-specific addenda configured for org’s operating states | Compliance Officer | YYYY-MM-DD | ______________ |
| SMS consent text reviewed and customized | Legal Counsel | YYYY-MM-DD | ______________ |
| Org admin trained on adverse action workflow | Compliance Officer | YYYY-MM-DD | ______________ |
4. Enforcement in Code
The following technical controls enforce compliance gates:
| Control | Location | Description |
|---|
HiringChecklist component | HR-09-P5 | Blocks hire completion until background check is complete_clear and offer is signed |
| SMS consent gate | hr_sms_consent_logs | SMS sending functions verify active consent before dispatch |
| PHI detection | detectPhiInMessage | Blocks or warns on PHI content based on sms_phi_detection_mode |
| Adverse action state machine | FCRAAdverseActionStatus | Enforces sequential progression: none → notice_sent → dispute_pending → resolved → final_notice_sent |
| Webhook audit immutability | hr_background_check_webhook_audit | RLS restricts writes to service_role only |
| Consent record immutability | hr_sms_consent_logs | Insert-only policy; no updates or deletes by application users |
5. Periodic Review Schedule
| Review | Frequency | Next Due | Owner |
|---|
| FCRA process audit | Quarterly | YYYY-MM-DD | Compliance Officer |
| TCPA consent mechanism review | Quarterly | YYYY-MM-DD | Legal Counsel |
| State law update check | Monthly | YYYY-MM-DD | Legal Counsel |
| PHI detection pattern update | Semi-annually | YYYY-MM-DD | Data Privacy Officer |
| Carrier compliance review (10DLC) | Annually | YYYY-MM-DD | Engineering Lead |
Official Sources
Full list of authoritative external references (HR, CL, PM, RH, GR, IT, PF): root AGENTS.md § Authoritative External References.
Version History
1.0.0 (2026-02-10)
- Initial compliance tracking document
- Defined FCRA requirements F-01 through F-12
- Defined TCPA requirements T-01 through T-12
- Established three sign-off gates (feature activation, SMS activation, per-org activation)
- Mapped enforcement controls to codebase
Last Updated: 2026-02-10
Next Review: 2026-05-10
