Greenlight
Use when DPA, admin logs, candidate notice, and deletion routes are complete before launch.
| Control | Enterprise Graph | Anonymous Forum | Regional Guild | Portfolio Circle |
|---|---|---|---|---|
| Composite score | 82 | 68 | 76 | 72 |
| Best buyer use | Broad sourcing and market maps | Sentiment and compensation signal | Regional hiring and licensed roles | Skills validation and early-career roles |
| Primary risk | Excess candidate profiling | Re-identification pressure | Limited market coverage | Vendor maturity |
| DPA readiness | Complete packet | Needs architecture letter | Complete packet | Audit pending |
| Admin controls | Seat logs, exports, roles | Limited dashboards | Role controls and event logs | Basic role model |
| Candidate notice | Clear but broad | Needs anti-retaliation framing | Specific and localized | Visible contact controls |
| Retention posture | 36 months standard | 18 months standard | 24 months standard | 12 months standard |
| Invented annual price band | $148,000 to $410,000 | $42,000 to $96,000 | $28,000 to $74,000 | $18,000 to $61,000 |
Harbor shortlist rules
Conditional
Use for a limited pilot with a written risk owner and a 90-day evidence checkpoint.
Hold
Pause procurement when identity, moderation, or subprocessor evidence is unavailable.
Retire
Exit when a community cannot meet breach notice, deletion, or non-retaliation commitments.
Detailed control matrix
| Evidence item | Why HR cares | Minimum acceptable response | Owner |
|---|---|---|---|
| Subprocessor register | Candidate and employee data may move through analytics, hosting, enrichment, and support vendors. | Named vendors, country, purpose, and 30-day change notice. | Legal |
| Recruiter activity log | HR must investigate inappropriate searches and contact patterns. | Search, export, message, and admin events retained for 18 months. | Recruiting operations |
| Deletion workflow | Candidate rights requests need operational proof, not promises. | Self-service deletion plus enterprise request queue under 30 days. | Privacy |
| Moderation report | Community harm can become employer risk when programs are sponsored. | Quarterly volume, severity, median response time, and appeal outcomes. | Employee relations |
| Accessibility review | Hiring channels must not exclude candidates. | WCAG 2.2 AA statement and remediation owner. | Talent programs |