Skip links
Monday-Friday: 8am - 6pm (PST)
Toll Free: (844) GET-WOTC
sales@wotcplus.com
Client Portal

Contact WOTC Plus

Great things in business are never done by one. They're done by a team of people.

Toll-Free

(844)get-wotc
(844) 438-9682

Email

support@wotcplus.com

Address

30 N Gould St, Ste N,
Sheridan, WY 82801

Portal Login:

Client Login
Partner Login
New Hires

Portal Links

Client Login
Partner Login
New Hires
WOTC Plus

DATA Security

Effective Date: November 9, 2025

WOTC Plus, LLC

30 N. Gould St, Sheridan, WY 82801 www.wotcplus.com

Purpose & Scope

This policy defines how WOTC Plus LLC (“WOTC Plus,” “we,” “us”) protects customer data processed by our platform and related services, including the collection and management of Work Opportunity Tax Credit (WOTC) forms, state submissions, and client account data. It applies to all employees, contractors, systems, and third-party subprocessors that access or store WOTC Plus data.

Data We Process

  • Client (Employer) Data: company profile, authorized contacts, billing and account metadata, and agent/representative declarations.
  • Applicant/Employee Data (PII): full name, address, date of birth, contact details, Social Security number (SSN), and WOTC eligibility attestations (Forms 8850/9061).
  • Operational & Security Data: logs, telemetry, audit trails, IP addresses, and device attributes.

We minimize data collection to what is necessary for WOTC compliance and lawful processing.

Data Classification

  • Confidential: SSNs, IDs, WOTC forms, authentication secrets, encryption keys.
  • Internal: configuration data, internal communications, non-public documentation.
  • Public: marketing materials and published help documents.

Controls such as encryption, access control, and monitoring scale based on classification level.

Security Governance

The Head of Security oversees risk management, policy maintenance, incident response, and compliance. Policies are reviewed annually or upon material change. All personnel complete onboarding and annual security training, with background checks where permitted.

Access Control & Authentication

  • Least Privilege: Role-based access control (RBAC) with just-in-time elevation.
  • MFA & SSO: Multi-factor authentication is enforced for administrative access; SSO/OAuth2/SAML is supported for customers.
  • Session Security: Secure cookies, inactivity timeouts, and anomaly detection.
  • Data Segregation: Logical separation ensures no cross-tenant access.

Encryption & Key Management

Data in transit is protected by TLS 1.2+; data at rest uses AES-256 or stronger encryption. Keys and certificates are stored in hardened secret management systems with rotation and access logging.

Network & Infrastructure Security

We employ defense-in-depth, including segmented networks, private subnets, web firewalls, DDoS protection, intrusion detection, endpoint monitoring, and hardened servers aligned with CIS benchmarks.

Application Security (Secure SDLC)

Development follows OWASP ASVS and Top 10 standards. All code changes undergo review and automated scanning for vulnerabilities. Independent penetration testing is conducted annually, with summaries available under NDA.

Vulnerability & Patch Management

Continuous scanning is performed for hosts, containers, and apps. Remediation targets: Critical – 7 days; High – 30 days; Medium – 90 days. Post-remediation verification and change tracking are required.

Logging, Monitoring & Alerting

We maintain centralized, immutable logs for authentication, admin actions, data access, and system events. Logs are retained for at least 12 months, with continuous alerting for suspicious activity such as excessive SSN lookups or mass data exports.

Data Handling, Storage & Transmission

  • SSNs are masked in the UI and redacted in logs.
  • All uploads are virus-scanned and validated.
  • Emailing PII is prohibited; encrypted HTTPS/SFTP transfers are required.
  • Signed agent/representative forms (e.g., ETA-9198) are encrypted and tracked with lifecycle management.

Data Retention & Deletion

We retain WOTC-related records as required for audits and compliance (generally three to four years). Upon contract termination or verified request, customer data is securely deleted or returned, including cryptographic erasure from backups.

Backups, Business Continuity & Disaster Recovery

Daily encrypted backups support point-in-time recovery. Our infrastructure is redundant across availability zones with target recovery points (RPO ≤ 24h, RTO ≤ 48h). Annual disaster recovery and incident response exercises are performed.

Incident Response & Breach Notification

We follow a structured incident response process: Prepare → Detect → Contain → Eradicate → Recover → Post-Mortem. Customers are notified without undue delay after confirmation of a breach. For California residents, we comply with CPRA/§1798.82 notification timelines (typically within 30 days).

Physical & Personnel Security

Our data centers are certified (SOC 2/ISO 27001) with layered physical controls. Offices enforce badge access, clean-desk policies, and secure disposal of documents. All company devices have full-disk encryption and endpoint management.

Third-Party Risk Management

All subprocessors and vendors undergo security and privacy due diligence before onboarding and annually thereafter. We maintain DPAs and follow international data transfer laws, including Standard Contractual Clauses when applicable.

Privacy & Data Subject Rights

We implement technical and organizational measures to support consumer privacy rights (access, correction, deletion, portability, opt-out of sale/share) in accordance with our Privacy Policy. APIs and configurations enable customers to fulfill workforce-related privacy requests.

Customer Responsibilities (Shared Responsibility)

  • Configure user roles and MFA for your tenant.
  • Limit local storage or printing of WOTC documents.
  • Maintain your own tax and record retention policies.
  • Protect API keys and SSO configurations.
  • Report any credential or system compromise immediately to WOTC Plus.

Prohibited Practices

  • Storing production PII in unsecured personal drives or email.
  • Bypassing MFA or sharing login accounts.
  • Exporting SSNs or PII without legitimate business justification and management approval.

Audits & Attestations

We conduct internal audits and assessments against this policy. Summaries of penetration tests and third-party attestations (e.g., SOC 2 reports) may be provided under NDA upon reasonable request.

Revisions

WOTC Plus may update this policy periodically to reflect improvements, legal changes, or expanded services. The “Effective Date” above indicates the most recent revision.

Security Contact

Email: support@wotcplus.com
Abuse/Incident Reports: support@wotcplus.com
Mailing Address: WOTC Plus LLC — 30 N. Gould St, Sheridan, WY 82801
Phone: (844) GET-WOTC, (844) 438-9682