Data & Compliance

Effective Date and Scope

This Compliance page describes the data security posture, regulatory acknowledgments, and operational policies of WorkRail as of April 1, 2026. It is intended for authorized state agency partners, agency administrators, and Employment Transition Navigators (ETNs) who require documentation of WorkRail's compliance practices.

CJIS Compliance Acknowledgment

WorkRail is designed for use within Colorado reentry employment programs that may involve access to individuals with criminal justice system involvement. We acknowledge the requirements of the FBI's Criminal Justice Information Services (CJIS) Security Policy as they relate to platforms accessing or processing criminal justice information.

• WorkRail does not directly interface with NCIC, III, or other restricted CJIS data systems. Criminal history information entered into WorkRail is provided directly by authorized ETNs from their own agency systems.
• Access to WorkRail is controlled through agency-level authorization. ETN accounts are provisioned only by agency administrators affiliated with Colorado DCJ-authorized programs.
• Agencies responsible for CJIS-covered data should review their applicable data sharing agreements before entering restricted criminal justice records into the WorkRail platform.

Data Security

WorkRail implements the following security controls:

• Encryption at rest:All data stored in WorkRail's database is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between clients and WorkRail servers is encrypted using TLS 1.2 or higher.
• SOC 2 Type II:WorkRail's database and authentication infrastructure is provided by Supabase, which maintains SOC 2 Type II certification covering security, availability, and confidentiality.
• Row-level security:Database access policies enforce that each ETN can only access records within their assigned caseload. Agency administrators are scoped to their own organization's records.
• Authentication: All users authenticate with email and password. Multi-factor authentication is available and recommended for ETN accounts.
• Rate limiting and input sanitization: API endpoints are protected by rate limiting, and all user inputs are sanitized to prevent injection attacks.

Health Information

WorkRail does not store Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). WorkRail is not a covered entity or business associate under HIPAA.

When ETNs document referrals to mental health, substance use treatment, or medical services, those referrals are recorded by provider name and referral date only. No diagnoses, treatment records, medication information, or clinical notes are collected or stored in WorkRail.

Agencies that manage PHI in their own systems should ensure that no PHI is entered into WorkRail fields not designated for that purpose.

State Agency Use

WorkRail is designed for use by agencies operating under the authority of the Colorado Division of Criminal Justice (DCJ) and affiliated county and nonprofit reentry programs. Authorized use includes:

• Case management for individuals on parole, probation, or transitioning from incarceration.
• Employment matching, job fair coordination, and apprenticeship tracking.
• ETN-to-client communication, coaching module delivery, and outcome reporting.

Agencies wishing to onboard to WorkRail must execute a data use agreement with WorkRail prior to receiving access. Contact compliance@workrail.io to initiate the onboarding process.

Audit Logging

All ETN and administrator actions within WorkRail are logged with a timestamp, user ID, and action type. Logged events include:

• Client profile creation, modification, and access.
• Case note additions and edits.
• Outreach messages sent and calls initiated.
• Resume generation and employer outreach activity.
• Account provisioning and deactivation by administrators.

Audit logs are retained for a minimum of 12 months and are available to authorized agency administrators upon request.

Data Residency

All WorkRail data is stored and processed exclusively within the United States. WorkRail's primary database region is Supabase US East (AWS us-east-1). No personal data is transferred to or stored in servers outside the United States.

Incident Response

In the event of a confirmed security incident that affects personal data, WorkRail will:

• Notify affected agencies within 72 hours of becoming aware of the incident, in accordance with applicable data breach notification requirements.
• Provide affected agencies with a description of the nature of the incident, the categories of data involved, the likely consequences, and the measures taken or proposed to address the incident.
• Cooperate with agencies and relevant authorities in any required investigation or notification to affected individuals.

To report a suspected security incident, contact compliance@workrail.io immediately.

Policy Review

WorkRail's Privacy Policy, Terms of Use, and this Compliance page are reviewed at least annually and updated as needed to reflect changes in law, technology, or operational practice. The most recent review was completed in April 2026.

Authorized agencies will be notified of material policy changes prior to their effective date.

Compliance Contact

For compliance inquiries, data use agreements, or to request audit documentation: