Do-Not-Contact Enforcement: An SLA-Bound Runbook
A defensible do-not-contact program is not a suppression list. It is an instrumented workflow with ownership, event triggers, reconciliation, and audit evidence across every system that can message a candidate.

If Legal asked you to prove who approved contact after a privacy request, can you retrieve it in one evidence pack with timestamps?Back to all posts
1) HOOK: Real Hiring Problem
Recommendation: Treat do-not-contact as a production incident class with an SLA, not a preference field. Scenario: A candidate emails recruiting@ with a privacy request: "Do not contact me." A coordinator updates a field in the ATS. Two days later, a sourcer pulls the same profile from a talent pool and sends an outreach sequence from a separate tool. The candidate forwards both emails to Legal, asking why the company ignored the request. Operational risk shows up immediately: - Audit liability: You cannot produce a single timeline proving suppression across every outbound system. If it is not logged, it is not defensible. - SLA breach: recruiting pauses outbound campaigns while ops verifies which tools still have the candidate in active sequences. Time-to-offer delays cluster at moments where policy is uncertain. - Cost exposure: you waste cycle-time on candidates you are not allowed to contact, and you increase the chance of escalations that pull leadership into reviews instead of closing roles. - Fraud risk: ad hoc deletion in one tool can erase integrity signals while the same person re-enters via another email. You need DNC controls without turning your stack into a fraud blind spot.
2) WHY LEGACY TOOLS FAIL
Recommendation: Stop expecting your ATS, assessment tools, and messaging platforms to coordinate policy enforcement without an event model and reconciliation. Legacy tooling patterns create DNC breaches because they assume a single system update is enough. In reality, outbound contact happens in diverse systems: recruiter inboxes, SMS providers, marketing automation, scheduling, assessment invites, and even hiring manager forwards. Why the market did not solve it: vendors optimize for their own workflow step, not for cross-system policy consistency. That produces sequential checks instead of parallelized checks, no standardized rubric storage for exceptions, and no ATS-anchored audit trails that Legal can rely on. When recruiters work around delays, they create shadow workflows, which become integrity liabilities.
3) OWNERSHIP & ACCOUNTABILITY MATRIX
Recommendation: Assign one owner for policy, one owner for enforcement plumbing, and one owner for exception decisions. Anything else becomes "everyone and no one." Ownership model: - Recruiting Ops owns: the DNC workflow definition, field hygiene, SLA dashboards, and downstream system coverage. - Security owns: access control to change DNC state, audit policy, retention rules, and evidence pack requirements. - Hiring Managers own: exception justification when a candidate is re-engaged (if allowed), and rubric discipline for any related decision-making. Automation vs manual review: - Automated: propagation to all connected tools, outbound send-time checks, block-attempt logging, reconciliation jobs. - Manual review: exceptions (for example, candidate reconsent), disputes, and any policy overrides. Manual review without evidence creates audit liabilities. Sources of truth: - Policy source of truth: ATS record for DNC status and reason code, with immutable timestamps. - Enforcement points: every system that can send outreach must check DNC at send-time, not only at import-time. - Evidence store: ATS-anchored audit trail plus evidence pack attachments (request, approvals, propagation log excerpts).
dnc_status: active | cleared
dnc_scope: email | sms | phone | all
dnc_reason: privacy-request | complaint | internal-policy
dnc_effective_at: timestamp
dnc_source: inbound-email | portal | support-ticket
dnc_reviewed_by: user id (if manual)
4) MODERN OPERATING MODEL
Recommendation: Implement DNC as an instrumented workflow: identity gate before access, event-based triggers, automated evidence capture, and dashboards. Operating model checkpoints:
Identity gate before access: restrict who can set or clear DNC, and require re-auth for overrides. Treat it like privileged access, because it controls outbound communications.
Event-based triggers: when DNC changes, emit an event that updates every outbound system in parallel instead of waiting for nightly syncs.
Automated evidence capture: write an immutable event log entry for every propagation attempt and every blocked outreach attempt (who, when, channel, tool).
Analytics dashboards: track time-to-enforcement per system, blocked-attempt counts, exception rates, and reconciliation drift (records out of sync).
Standardized rubrics: if you allow recontact based on reconsent, store the justification rubric and approval in the same evidence pack. A decision without evidence is not audit-ready.

Idempotency keys: allow safe retries without duplicating suppression actions
Retries with backoff: transient API failures should not become policy gaps
Dead-letter queue: failed propagations must create a review-bound SLA queue
Reconciliation job: nightly compare of ATS DNC state vs each tool's suppression state
5) WHERE INTEGRITYLENS FITS
Recommendation: Use IntegrityLens as the ATS-anchored control plane that logs DNC decisions, gates identity before sensitive steps, and produces evidence packs when Legal asks for proof. Where it fits operationally: - Enforces identity gating before access to high-risk steps, so DNC state and overrides are attributable to a verified operator. - Maintains ATS-anchored audit trails with immutable, timestamped event logs for DNC state changes and enforcement actions. - Produces immutable evidence packs that bundle the request, reason codes, approvals, and propagation logs for review. - Supports step-up verification patterns that reduce fraud exposure when a previously suppressed identity reappears in the funnel. - Uses zero-retention biometrics architecture for verification steps, reducing the need to store sensitive biometric artifacts while still logging the verification outcome.
6) ANTI-PATTERNS THAT MAKE FRAUD WORSE
Do not do these three things: - Treat DNC as deletion-only. You erase linkage signals that help detect repeat attempts, but you still fail to block outreach from other tools. - Enforce DNC only at import-time. Candidates can enter sequences later through lists, referrals, or manual adds. Enforcement must happen at send-time. - Allow ad hoc overrides in Slack or email. Exceptions must be policy-validated, time-bounded, and logged with reviewer accountability.
7) IMPLEMENTATION RUNBOOK
Define policy and reason codes - SLA: 5 business days (one-time rollout) - Owner: Recruiting Ops (policy) + Security (access policy) - Evidence: policy doc version, reason code taxonomy, access control list
Intake and normalize requests - SLA: 4 hours from receipt - Owner: Recruiting Ops - Evidence: request artifact (email/ticket), normalized candidate identifiers, dnc_effective_at timestamp in ATS
Write DNC state to ATS (source of truth) - SLA: 30 minutes after normalization - Evidence: ATS event log entry (who changed, before/after, reason code)
Emit DNC.changed event and propagate in parallel - SLA: start within 5 minutes of ATS update - Owner: Security (integration reliability) + Recruiting Ops (tool inventory) - Evidence: immutable event log of propagation attempts per system, with idempotency keys
Enforce send-time checks in outbound tools - SLA: 2 weeks rollout per tool (engineering), then continuous - Owner: Security (controls) + Recruiting Ops (workflows) - Evidence: blocked-attempt logs (channel, tool, user, timestamp), plus test cases
Exceptions and reconsent handling (if allowed) - SLA: 1 business day review-bound queue - Owner: Hiring Manager (justification) + Security (approval gate) + Recruiting Ops (execution) - Evidence: exception request, approval record, time-bounded scope, updated ATS log
Reconciliation and drift monitoring - SLA: nightly job, with 24-hour remediation SLA for drift - Owner: Analytics (dashboards) + Recruiting Ops (remediation) - Evidence: drift report, remediation tickets, closure timestamps
Quarterly audit drill - SLA: quarterly - Owner: Security + Recruiting Ops - Evidence: sample evidence packs proving who requested DNC, when it took effect in each system, and which outreach attempts were blocked.
Related Resources
Key takeaways
- Treat DNC as an identity-gated policy decision with immutable logs, not a tag recruiters can forget to apply.
- Make one system the policy source of truth, but enforce DNC at every outbound channel (email, SMS, interview invites, assessment links).
- Use event-based orchestration with retries, idempotency keys, and reconciliation jobs to prevent silent propagation failures.
- Define review-bound SLAs: DNC requests must take effect fast, and exceptions must be explicitly approved and logged.
- Audit readiness requires evidence: who requested DNC, who approved any exception, what systems were updated, and when outreach was blocked.
Purpose: define DNC as a policy decision in the ATS, propagated via events, enforced at send-time, and proven via immutable logs.
Designed for: Recruiting Ops to own the workflow, Security to own controls and audit policy, Analytics to monitor SLAs.
version: 1
policy: do-not-contact
enforcement:
systemOfRecord: ATS
requiredFields:
- candidate_id
- dnc_status
- dnc_scope
- dnc_reason
- dnc_effective_at
- dnc_source
scopes:
email:
enforceAt: send_time
blockIfStatus: active
sms:
enforceAt: send_time
blockIfStatus: active
phone:
enforceAt: send_time
blockIfStatus: active
events:
- name: dnc.changed
producer: ATS
idempotencyKey: "candidate_id:dnc_effective_at"
subscribers:
- system: sourcing_crm
action: suppress_profile
retry:
maxAttempts: 8
backoff: exponential
onFailure: dead_letter_queue
- system: email_sequence_tool
action: suppress_recipient
retry:
maxAttempts: 8
backoff: exponential
onFailure: dead_letter_queue
- system: scheduling_platform
action: block_invites
retry:
maxAttempts: 8
backoff: exponential
onFailure: dead_letter_queue
- system: assessment_platform
action: block_invites
retry:
maxAttempts: 8
backoff: exponential
onFailure: dead_letter_queue
logging:
immutableEventLog: true
logEvents:
- dnc.requested
- dnc.changed
- dnc.propagation_attempted
- dnc.propagation_succeeded
- dnc.propagation_failed
- dnc.outreach_blocked
exceptions:
allowed: true
requires:
- reconsent_artifact
- hiring_manager_justification
- security_approval
timeBound:
defaultDurationHours: 24
autoRevoke: true
slas:
timeToATSEnforcementMinutes: 30
timeToPropagationStartMinutes: 5
driftRemediationHours: 24
monitoring:
dashboards:
- time_to_enforcement_by_system
- blocked_outreach_attempts_by_channel
- exception_rate_over_time
- propagation_failures_dead_letter_queueOutcome proof: What changes
Before
DNC requests were handled as a recruiter task in the ATS and occasionally in an email tool. Suppression drift was discovered only after complaints, with no unified timeline of enforcement.
After
DNC became an SLA-bound workflow with ATS as policy source of truth, event-based propagation to outbound tools, send-time enforcement, and evidence packs stored as ATS-anchored audit trails.
Implementation checklist
- Define DNC policy scope (channels, brands, regions) and exception rules
- Assign system-of-record and build event schema for DNC state changes
- Implement channel-level enforcement (blocklists) plus application-level checks
- Add idempotent propagation with retries and dead-letter queues
- Create reconciliation reports and SLA dashboards by time-to-enforcement
- Store proof in ATS-anchored audit trails with reviewer accountability
Questions we hear from teams
- What is the minimum viable do-not-contact control that is still audit-ready?
- A policy source of truth in the ATS, event-driven propagation with retries, send-time blocks in every outbound channel, and an immutable event log that ties requests, changes, and blocked attempts to timestamps and operators.
- Should we delete candidate data when someone requests do-not-contact?
- Do-not-contact is a communication control, not automatically a deletion instruction. Handle deletion requests through a separate retention workflow so you do not erase linkage signals needed for fraud prevention and audit trails.
- How do we prevent recruiters from bypassing DNC with manual emails?
- You cannot rely on training alone. Implement send-time checks in sequence tools where possible, require outreach to be initiated from systems that enforce DNC, and log blocked attempts to detect and correct process drift.
- What breaks most often in DNC propagation?
- Silent API failures, mismatched identifiers (email vs candidate_id), and tools that only support list-based suppression. You mitigate this with idempotency keys, retries, dead-letter queues, and nightly reconciliation.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
