Contractor Onboarding Checklist

Onboarding checklist for Maelstrom AI contractors covering compliance and operational requirements

Public

Contractor Onboarding Checklist

Purpose: This checklist ensures consistent, compliant onboarding for all contractors engaged by Maelstrom AI, supporting GAP-M015 closure (HR Privacy Notice delivery) and operational excellence.

Responsible Party: Security Lead (unless otherwise specified)

Document Integration: This checklist implements requirements from:

  • HR Privacy Notice (GAP-M015) - Privacy notice delivery and acknowledgment
  • Access Control Policy - MFA requirements, access provisioning
  • Information Security Policy - Security training and awareness
  • Acceptable Use Policy - Device and system usage requirements

Pre-Engagement

Timeline: Before contract signing

Skills and Suitability Assessment

  • Conduct initial interview and technical assessment

  • Responsible. Security Lead

  • Timeline. During recruitment

  • Documentation. Interview notes, skills assessment results

  • Outcome. Determine role suitability and technical fit

  • Perform reference checks (if required for role)

  • Responsible. Security Lead

  • Timeline. After interview, before offer

  • Documentation. Reference check notes (store securely)

  • Outcome. Verify professional background and work quality

  • Note. Per HR Privacy Notice, reference information retained for contract duration + 1 year

  • Verify right to work (if applicable for jurisdiction)

  • Responsible. Security Lead

  • Timeline. Before contract signing

  • Documentation. Verification records (encrypted storage)

  • Outcome. Legal compliance with employment laws

  • Note. For Australian contractors, verify citizenship/work authorisation if required

Contract Preparation

  • Draft contractor agreement with scope of work

  • Responsible. ISMS Owner (legal review if needed)

  • Timeline. After successful interview

  • Contents. Scope, payment terms, IP assignment, confidentiality, termination

  • Outcome. Clear contractual relationship defined

  • Note. Per HR Privacy Notice, contracts retained 7 years post-termination

  • Prepare Non-Disclosure Agreement (if separate from contract)

  • Responsible. Security Lead

  • Timeline. Before contract signing

  • Outcome. Confidentiality obligations established

Day 1 - Contract Signing and Legal Requirements

Timeline: Contract signing date

  • Sign contractor agreement

  • Responsible. Contractor + Security Lead

  • Timeline. Day 1 (contract signing)

  • Contents. IP assignment, confidentiality, scope of work, payment terms

  • Outcome. Legal contractual relationship established

  • Storage. Encrypted storage, 7-year retention per HR Privacy Notice

  • Deliver HR Privacy Notice and obtain acknowledgment (GAP-M015 REQUIREMENT)

  • Responsible. Security Lead

  • Timeline. Day 1 - MUST occur at contract signing

  • Method. Provide copy of /trust/legal/hr-privacy-notice.md

  • Acknowledgment. Contractor signs acknowledgment form or email confirmation

  • Contents. Explain how Maelstrom AI collects, uses, stores, and protects contractor personal information

  • Documentation. Store acknowledgment record (7-year retention)

  • Outcome. GAP-M015 compliance - contractor informed of data privacy rights

  • Note. This is a MANDATORY requirement for compliance

  • Sign NDA (if separate from contract)

  • Responsible. Contractor + Security Lead

  • Timeline. Day 1

  • Outcome. Confidentiality obligations documented

  • Provide Information Security Policy acknowledgment

  • Responsible. ISMS Owner provides, contractor signs

  • Timeline. Day 1

  • Document. /trust/security/information-security-policy.mdx

  • Outcome. Contractor understands security responsibilities

  • Acknowledgment. Signed acknowledgment stored with contract

  • Provide Acceptable Use Policy acknowledgment

  • Responsible. ISMS Owner provides, contractor signs

  • Timeline. Day 1

  • Document. /trust/security/acceptable-use.md

  • Outcome. Contractor understands acceptable use of systems and devices

  • Acknowledgment. Signed acknowledgment stored with contract

Financial and Tax Information Collection

  • Collect bank details for payment (encrypted)

  • Responsible. Security Lead (via secure method)

  • Timeline. Day 1

  • Method. Encrypted email or secure form

  • Information. BSB, account number, account name

  • Storage. Encrypted at rest, provided to payment processor only

  • Retention. Contract duration + 7 years (financial records)

  • Note. Per HR Privacy Notice Section 2.2, Maelstrom AI does not store full bank details; they are provided to the payment processor only

  • Collect tax information (TFN/ABN for Australian contractors)

  • Responsible. Security Lead

  • Timeline. Day 1 (required for first payment)

  • Information. Tax File Number (TFN) or Australian Business Number (ABN)

  • Storage. Encrypted at rest (separate encryption key per HR Privacy Notice)

  • Retention. Contract duration + 7 years (ATO requirement)

  • Legal Basis. Legal obligation (Taxation Administration Act 1953)

  • Collect emergency contact information (with consent)

  • Responsible. Security Lead

  • Timeline. Day 1 (optional but recommended)

  • Information. Name, relationship, phone number

  • Legal Basis. Legitimate interests + consent (HR Privacy Notice Section 2.1)

  • Storage. Encrypted, limited access

  • Retention. Contract duration + 1 year

  • Note. Contractor may decline - this is voluntary

Personal Information Collection

  • Collect contact information
  • Responsible. Security Lead
  • Timeline. Day 1
  • Information. Full legal name, email, phone, mailing address, date of birth (if required for legal compliance)
  • Purpose. Contract management, payment, communication
  • Retention. Per HR Privacy Notice Section 6 - contact info retained 1 year post-termination
  • Legal Basis. Contract performance (GDPR Article 6(1)(b))

Day 1 - Initial System Access

Timeline: Day 1 (after contract signed and policies acknowledged)

GitHub Access

  • Create GitHub account (if contractor doesn’t have existing account)

  • Responsible. Contractor creates, Security Lead verifies

  • Timeline. Day 1

  • Outcome. GitHub account ready for organisation access

  • Add contractor to our GitHub organisation (under MaelstromAI enterprise)

  • Responsible. Security Lead

  • Timeline. Day 1 (after MFA verified)

  • Access Level. Member (not Owner - per Access Control Policy segregation of duties)

  • Documentation. Record in contractor tracking template (maintained internally; available to auditors and enterprise customers on request)

  • Outcome. Access to private repositories

  • Add to relevant GitHub teams based on role

  • Responsible. Security Lead

  • Timeline. Day 1

  • Teams. Backend, Frontend, Security (as appropriate for role)

  • Outcome. Role-based repository access

  • Add to CODEOWNERS files for relevant repositories

  • Responsible. Security Lead or ISMS Owner

  • Timeline. Day 1-3

  • Purpose. Code review requirements for critical files (cryptography, security)

  • Outcome. Enforce mandatory code review per Access Control Policy

  • Set up MFA on GitHub account (MANDATORY)

  • Responsible. Contractor sets up, Security Lead verifies

  • Timeline. Day 1 - MUST be completed before any repository access

  • Method. Authenticator app (Authy, Google Authenticator) or hardware key (YubiKey preferred)

  • Verification. Security Lead verifies MFA enabled via GitHub organisation security settings

  • Enforcement. Access Control Policy requires MFA for all GitHub access

  • Outcome. Account secured with MFA

Google Workspace Access

  • Create Google Workspace account (email, calendar, drive)

  • Responsible. Security Lead

  • Timeline. Day 1

  • Email Format. firstname@provii.app or contractor-agreed format

  • Access. Email, Google Drive, Calendar

  • Outcome. Work email and collaboration tools

  • Set up MFA on Google Workspace (MANDATORY)

  • Responsible. Contractor sets up, Security Lead verifies

  • Timeline. Day 1 - MUST be completed before email access

  • Method. Authenticator app or hardware key

  • Verification. Security Lead verifies MFA enabled via Google Workspace admin console

  • Enforcement. Access Control Policy requires MFA for all cloud services

  • Outcome. Email account secured with MFA

Communication and Collaboration Tools

  • Add to Slack workspace (if used)

  • Responsible. Security Lead

  • Timeline. Day 1

  • Channels. General, engineering, security (as appropriate)

  • Outcome. Team communication access

  • Provide access to password manager (1Password/Bitwarden/similar)

  • Responsible. Security Lead

  • Timeline. Day 1

  • License. Company-provided or contractor personal (company-approved)

  • Requirement. Per Access Control Policy, password manager mandatory for all team members

  • Outcome. Secure credential storage

Infrastructure Access (Role-Specific)

  • Add to Cloudflare account (if infrastructure/DevOps role)

  • Responsible. Security Lead

  • Timeline. Day 1-3 (based on role requirements)

  • Access Level. Limited role-based access (developer: limited, admin: selective per Access Control Policy)

  • Outcome. Infrastructure management access for relevant roles

  • Set up MFA on Cloudflare account (MANDATORY if Cloudflare access granted)

  • Responsible. Contractor sets up, Security Lead verifies

  • Timeline. Day 1-3 (immediately upon Cloudflare access)

  • Method. Authenticator app or hardware key

  • Verification. Security Lead verifies MFA enabled

  • Enforcement. Access Control Policy requires MFA for production infrastructure

  • Outcome. Production access secured

MFA Verification Checkpoint

  • Verify MFA enabled on ALL accounts (MANDATORY)
  • Responsible. Security Lead
  • Timeline. End of Day 1
  • Accounts to Verify. GitHub, Google Workspace, Cloudflare (if applicable), password manager
  • Method. Check admin consoles for MFA status
  • Enforcement. Access Control Policy - no exceptions permitted for MFA
  • Documentation. Record MFA verification date in contractor tracking template (maintained internally; available to auditors and enterprise customers on request)
  • Outcome. All accounts secured per security policy

Week 1 - Security Training and Awareness

Timeline: Within first week (Days 1-5)

Security Policy Training

  • Complete security awareness training

  • Responsible. Contractor completes, Security Lead tracks

  • Timeline. Week 1

  • Topics. Threat surface (phishing, social engineering), secure coding, incident reporting, credential management, remote work security

  • Method. Review security policies, Security Lead-led training session, or online training materials

  • Documentation. Training completion record

  • Outcome. Contractor understands security responsibilities

  • Review Access Control Policy

  • Responsible. Contractor reads, Security Lead answers questions

  • Timeline. Week 1

  • Document. /trust/security/access-control.mdx

  • Topics. Authentication (MFA, passwords), authorisation, access reviews, segregation of duties

  • Outcome. Understanding of access management requirements

  • Review incident response procedures

  • Responsible. Contractor reads, Security Lead explains

  • Timeline. Week 1

  • Topics. What to report, how to report (security@maelstrom.au), incident severity levels

  • Outcome. Contractor knows how to report security incidents immediately

  • Review privacy breach notification procedures

  • Responsible. Contractor reads, Security Lead explains

  • Timeline. Week 1

  • Relevance. HR Privacy Notice Section 5.8 - breach notification requirements

  • Topics. Detecting breaches, reporting obligations, notification timelines

  • Outcome. Contractor understands privacy breach responsibilities

  • Understand data retention and deletion policies

  • Responsible. Contractor reads HR Privacy Notice Section 6

  • Timeline. Week 1

  • Topics. Retention periods (1 year work product, 7 years financial), deletion procedures

  • Outcome. Contractor understands how their data is retained and when it’s deleted

  • Review cryptographic standards and CODEOWNERS requirements

  • Responsible. Contractor reads, Security Lead explains (if security/crypto role)

  • Timeline. Week 1 (critical for security roles)

  • Topics. Cryptographic algorithm requirements, code review for crypto changes, CODEOWNERS enforcement

  • Outcome. Understanding of cryptographic security requirements

  • Understand acceptable use policy (no personal use, no sharing credentials)

  • Responsible. Contractor reviews Acceptable Use Policy

  • Timeline. Week 1

  • Document. /trust/security/acceptable-use.md

  • Topics. Prohibited activities, device security, remote work security, consequences of violations

  • Outcome. Contractor understands acceptable and prohibited behaviours

  • Complete COPPA/children’s privacy training (if relevant to role)

  • Responsible. Contractor completes, Security Lead tracks

  • Timeline. Week 1 (for roles involving age verification features)

  • Topics. COPPA compliance, children’s privacy, age verification requirements

  • Outcome. Understanding of legal requirements for child privacy

  • Note. Particularly important for Provii’s age verification mission

Week 1 - Role-Specific Technical Setup

Timeline: Within first week (Days 1-5)

Development Environment Setup

  • Set up local development environment

  • Responsible. Contractor sets up, team supports

  • Timeline. Week 1

  • Requirements. Rust toolchain, Node.js, Wrangler CLI, required IDEs

  • Documentation. Follow Maelstrom AI development setup guides

  • Outcome. Ready to develop locally

  • Enable full disk encryption on development workstation (MANDATORY)

  • Responsible. Contractor enables, Security Lead verifies

  • Timeline. Week 1 (Day 1-2 preferred)

  • Method. FileVault (macOS), BitLocker (Windows), LUKS (Linux)

  • Verification. Screenshot or in-person verification

  • Enforcement. Acceptable Use Policy requires full disk encryption

  • Outcome. Device secured per policy

  • Clone relevant repositories

  • Responsible. Contractor

  • Timeline. Week 1

  • Repositories. Based on role (provii-crypto, verifier, issuer, wallet, docs)

  • Outcome. Access to codebase

  • Run security scans (Clippy, cargo audit, npm audit)

  • Responsible. Contractor runs, team reviews results

  • Timeline. Week 1

  • Purpose. Verify development environment correctly configured

  • Outcome. Security scanning tools operational

  • Review architecture documentation

  • Responsible. Contractor reads, Security Lead/ISMS Owner answers questions

  • Timeline. Week 1

  • Documentation. Maelstrom AI docs, architecture diagrams, API specifications

  • Outcome. Understanding of system architecture

  • Attend technical onboarding session with Security Lead

  • Responsible. Security Lead conducts, contractor attends

  • Timeline. Week 1 (scheduled session)

  • Topics. Architecture overview, development workflow, deployment process, team collaboration

  • Duration. 1-2 hours

  • Outcome. Contractor understands technical surface and workflows

  • Understand zero knowledge proof architecture

  • Responsible. Cryptography Specialist explains (if crypto role), contractor studies documentation

  • Timeline. Week 1

  • Topics. Groth16 ZKP, RedJubjub signatures, credential privacy

  • Outcome. Understanding of Provii’s privacy-preserving architecture

  • Note. Critical for understanding Maelstrom AI’s mission and technical approach

  • Review ISMS documentation (if security/compliance role)

  • Responsible. Contractor reads, Security Lead explains

  • Timeline. Week 1

  • Documents. ISO 27001 policies, Statement of Applicability, risk register

  • Outcome. Understanding of compliance requirements

  • Note. Only for roles with security/compliance responsibilities

Month 1 - Integration and Validation

Timeline: Within first 30 days

Performance and Integration Milestones

  • First code review completed (verify CODEOWNERS workflow)

  • Responsible. Contractor submits PR, team reviews

  • Timeline. Week 2-4

  • Purpose. Validate understanding of code review process and CODEOWNERS enforcement

  • Outcome. Successful PR review and merge (not self-merged per Access Control Policy)

  • First successful deployment (if applicable to role)

  • Responsible. Contractor (via CI/CD), Security Lead approves if manual

  • Timeline. Month 1

  • Method. CI/CD automated deployment or emergency manual deployment (with approval)

  • Outcome. Contractor understands deployment workflow

  • 30-day check-in with Security Lead

  • Responsible. Security Lead schedules and conducts

  • Timeline. Day 30 (±5 days)

  • Topics. Progress, challenges, access issues, questions, feedback

  • Duration. 30-60 minutes

  • Outcome. Address any onboarding gaps, provide feedback

  • Address any access or tooling issues

  • Responsible. Security Lead resolves, contractor reports

  • Timeline. Ongoing through Month 1

  • Purpose. Ensure contractor has all necessary access and tools

  • Outcome. No blockers to productivity

  • Confirm understanding of privacy-by-design principles

  • Responsible. Security Lead assesses understanding

  • Timeline. 30-day check-in

  • Topics. Zero knowledge architecture, data minimisation, privacy-first development

  • Outcome. Contractor demonstrates understanding of Maelstrom AI’s privacy philosophy

Ongoing Requirements

Timeline: Recurring throughout contractor engagement

Annual Requirements

  • Annual security awareness training (every November)

  • Responsible. Contractor completes, Security Lead tracks

  • Timeline. Every November (annually)

  • Topics. Updated threat surface, policy changes, lessons learned from incidents

  • Documentation. Training completion record

  • Outcome. Refreshed security awareness

  • Annual HR Privacy Notice review and re-acknowledgment

  • Responsible. Privacy Officer provides updated notice, contractor acknowledges

  • Timeline. Every November or when notice updated

  • Purpose. Ensure contractor aware of any privacy notice changes

  • Documentation. Re-acknowledgment record

  • Outcome. Ongoing GAP-M015 compliance

Quarterly Requirements

  • Quarterly access review (Security Lead verifies access still required)

  • Responsible. Security Lead conducts, ISMS Owner reviews

  • Timeline. First week of each quarter (Jan, Apr, Jul, Oct)

  • Process. Verify contractor still active, access still appropriate for role, no unauthorized access

  • Documentation. Access review report

  • Outcome. Access validated per Access Control Policy

  • MFA compliance verification (quarterly)

  • Responsible. Security Lead

  • Timeline. Quarterly access review

  • Method. Check MFA status in GitHub, Google Workspace, Cloudflare admin consoles

  • Outcome. MFA still enabled on all accounts

Immediate Reporting Requirements

  • Immediate reporting of security incidents

  • Responsible. Contractor reports immediately

  • Contact. security@maelstrom.au

  • Timeline. Immediately upon detection

  • Examples. Suspected compromise, malware, unauthorized access, vulnerabilities

  • Outcome. Rapid incident response

  • Immediate reporting of privacy breaches

  • Responsible. Contractor reports immediately

  • Contact. security@maelstrom.au or privacy@maelstrom.au

  • Timeline. Immediately upon detection

  • Examples. Accidental data disclosure, unauthorized access to personal information

  • Outcome. Breach notification compliance (HR Privacy Notice Section 5.8)

Onboarding Completion Sign-Off

Timeline: End of Month 1

  • ISMS Owner confirms all onboarding items complete

  • Responsible. Security Lead

  • Timeline. End of Month 1

  • Method. Review this checklist, verify all items completed

  • Documentation. Store completed checklist with contractor file

  • Contractor confirms understanding of all policies and procedures

  • Responsible. Contractor provides written confirmation

  • Timeline. 30-day check-in

  • Method. Email or signed form

  • Outcome. Formal onboarding completion

  • Update contractor tracking template with onboarding completion date

  • Responsible. Security Lead

  • Timeline. End of Month 1

  • File. Contractor tracking template (maintained internally; available to auditors and enterprise customers on request)

  • Outcome. Onboarding status tracked

GAP-M015 Compliance Summary

HR Privacy Notice Delivery - MANDATORY

This onboarding checklist is designed to support GAP-M015 closure by:

  1. Delivery at Contract Signing (Day 1):
  • HR Privacy Notice provided to contractor
  • Contractor reads and acknowledges understanding
  • Acknowledgment documented and stored
  1. Acknowledgment Tracking:
  • Signed acknowledgment stored with contract (7-year retention)
  • Contractor tracking template records Privacy Notice acknowledgment date
  • Annual re-acknowledgment for ongoing contractors
  1. Integration with Policies:
  • HR Privacy Notice explains data privacy rights
  • Information Security Policy explains security responsibilities
  • Acceptable Use Policy explains system usage rules
  • Access Control Policy explains authentication and access management
  1. Data Protection Throughout Lifecycle:
  • Collection: Only necessary information collected (Day 1)
  • Use: Information used only for purposes in Privacy Notice
  • Storage: Encrypted storage per Privacy Notice Section 5
  • Retention: Per Privacy Notice Section 6 (1 year work product, 7 years financial)
  • Deletion: Deletion scheduled after retention periods

GAP-M015 Status: Expected to be closed upon implementation of this checklist

Document Information

Document Title: Contractor Onboarding Checklist Document Owner: ISMS Owner Effective Date: November 8, 2025 Version: 1.0 Classification: Public Review Frequency: Annually or when policies updated Next Review: November 8, 2026

Related Documents:

  • HR Privacy Notice: /trust/legal/hr-privacy-notice.md
  • Access Control Policy: /trust/security/access-control.mdx
  • Information Security Policy: /trust/security/information-security-policy.mdx
  • Acceptable Use Policy: /trust/security/acceptable-use.md
  • Contractor Offboarding Checklist: /trust/operations/contractor-offboarding-checklist.md
  • Contractor Tracking Template: Contractor tracking template (maintained internally; available to auditors and enterprise customers on request)

Acknowledgment: This checklist supports Maelstrom AI’s commitment to privacy, security, and compliance, and is designed to help contractors understand their responsibilities and access requirements.