Policy Center

Identifying and Responding to Human Rights Impacts

Posit Software, PBC

Addendum to the Posit Human Rights Policy

Purpose

The Saliency Addendum describes how Posit periodically steps back to identify and prioritize human rights issues at the level of our operations and value chain as a whole. Human rights due diligence also requires us to pay attention to specific situations as they arise - to have a reliable way of capturing concerns, knowing who is responsible for acting on them, and actually doing something when a potential or actual harm comes to our attention.

This Addendum covers two related but distinct things. The first is our internal process for collecting, prioritizing, and escalating information about human rights impacts and the second is how we assess and respond to human rights risks in specific client and project relationships. Together, these processes are how we turn our human rights commitments into day-to-day practice.

Part One: Collecting, Prioritizing, and Escalating Human Rights Information

How Information Reaches Us

Human rights concerns can surface through many channels, and we want all of them to work. Waiting for problems to be formally reported before taking notice is sometimes not good enough. The following are all legitimate and expected sources of information about actual or potential human rights impacts:

  • Our anonymous reporting tool and grievance procedures, which are the most direct channel for concerns raised by employees, contractors, and others. Any concern raised through these channels that touches on human rights, including labor conditions, discrimination, harassment, or concerns about how our products are being used, should be flagged for human rights review alongside any other applicable response process.
  • People Operations, which regularly surfaces patterns and concerns about working conditions, compensation equity, contractor treatment, and other employment-related issues.
  • Business development and commercial conversations, which may reveal how clients or partners intend to use our products or services in ways that raise human rights questions.
  • External signals, including media coverage, civil society reporting, regulatory inquiries, or communications from our open-source community, that indicate human rights concerns related to Posit or to relationships or contexts we operate in.
  • The saliency assessment process set out in Saliency Addendum, which may identify specific risks requiring further investigation.
  • Supplier and vendor due diligence processes, which may surface labor rights or other concerns in our value chain.

There is no single intake mechanism that will catch everything. What matters is that the people who receive information through any of these channels know that human rights concerns are something Posit takes seriously, and that they have a clear path to raise them internally.

Who Is Responsible

Clear ownership is essential to making this process work. The following roles and responsibilities apply:

General Counsel

The General Counsel has overall responsibility for Posit’s human rights processes and is the escalation point for any human rights concern that reaches the level of medium or high severity, or that involves an actual harm rather than a potential one. The General Counsel is also responsible for ensuring that the outcomes of any human rights assessment or response are documented and, where appropriate, reported to the Board.

People Operations

People Operations is the primary point of contact for human rights concerns that relate to employment, labor conditions, and workplace culture, including concerns raised by employees or contractors about their own working conditions or those of others. People Operations is responsible for triaging concerns in these areas and escalating to the General Counsel where the severity or complexity of the issue warrants it.

Business Unit Leads and Commercial Team

Business unit leads and members of our commercial team are responsible for flagging human rights concerns that arise in the context of client, partner, or supplier relationships. This includes concerns about how clients intend to use our products, labor rights issues that surface in supplier due diligence, and any situation where a business decision could have human rights implications. These concerns should be escalated to the General Counsel promptly.

All Associates

Every person who works at or with Posit has a responsibility to raise concerns they become aware of. The people closest to a situation are often the ones most likely to notice when something is wrong. Associates who raise concerns in good faith are protected from retaliation under our Code of Conduct and applicable law.

Prioritizing and Escalating Concerns

Not every concern requires the same response. The goal of prioritization is to ensure that the most serious situations get the most immediate attention, while less urgent concerns are still captured, documented, and addressed in an appropriate timeframe.

When a human rights concern is identified, the person receiving it should make an initial assessment of its severity and likelihood using the framework below. Where there is doubt about the appropriate level, the concern should be treated as the higher category until assessed more fully.

 HighMediumLow
SeverityMajor, irreparable, or long-lasting harm to people or their rightsSignificant and lasting harm to people or their rightsMinor, reparable, or temporary harm to people or their rights
LikelihoodExpected to occur continuously or is already occurringExpected to occur regularlyExpected to occur only occasionally or in specific, limited circumstances

Once severity and likelihood are assessed, escalation follows this path:

  • High severity or high likelihood: Escalate to the General Counsel immediately. If the concern involves an actual harm that may be ongoing, the General Counsel should be notified the same day. The General Counsel will determine whether Board notification is required.
  • Medium severity or likelihood: Escalate to the General Counsel within five business days. People Operations or the relevant business lead should provide an initial summary of the concern and any context they have gathered.
  • Low severity and low likelihood: Document the concern and bring it to the attention of the relevant lead (People Operations or the appropriate business unit lead) within a reasonable timeframe. Log it for inclusion in the next periodic review.

Severity and likelihood are assessed from the perspective of the people affected, not Posit’s commercial or reputational exposure. A concern that poses low risk to the company but serious risk to individuals should be escalated accordingly.

Getting More Information

An initial assessment of a concern will sometimes be based on incomplete information. Where the severity or likelihood of a potential impact is unclear, or where the scope of an issue is uncertain, the General Counsel, in coordination with People Operations and the relevant business lead, should determine what additional information is needed before deciding how to respond.

Gathering more information may involve:

  • Reviewing internal records, contracts, or communications relevant to the situation.
  • Speaking directly with the person or people who raised the concern, or with others who may have relevant knowledge, all done with appropriate care for confidentiality and the safety of those involved.
  • Engaging external experts, including human rights specialists, legal counsel, or civil society organizations, where the nature of the concern exceeds our internal expertise.
  • Reaching out to affected stakeholders where it is safe and appropriate to do so. Affected stakeholders are those whose rights are or could be at risk. Their perspective on both the impact and appropriate responses should inform our assessment wherever possible.

In every case, information-gathering should be conducted in a way that does not create additional risk for the people involved. Where there is any possibility that raising a concern has made someone vulnerable, their safety takes priority.

Internal Changes That Trigger Proactive Assessment

When we know in advance that a change in our operations or relationships could introduce new risks, we should assess those risks proactively rather than waiting for something to go wrong.

The following types of internal changes should automatically prompt a human rights assessment, led by the General Counsel in consultation with the relevant business lead:

  • New business relationships: Any significant new vendor, supplier, partner, or investor relationship, particularly in higher-risk geographies or sectors, or where the counterparty’s own human rights record is unclear.
  • New or materially changed products or services: Any new product or service line, or a material change to an existing one, where the use case could affect how people are treated or evaluated, including AI-assisted tools, features that process personal data at scale, or anything that could be used for surveillance or automated decision-making.
  • New markets or geographies: Entry into a new country or region where the human rights context is materially different from our existing footprint, including differences in labor law protections, freedom of expression, or digital rights.
  • Mergers, acquisitions, or significant restructuring: Any transaction or reorganization that would substantially change our workforce, our value chain, or our products and their uses.
  • Business model changes: A material change in how we generate revenue or deliver our products and services, where the change alters our relationships with the people affected by our work.

The General Counsel is responsible for ensuring that human rights is part of the checklist for each of these change types, and that the assessment happens before the change is finalized where possible, rather than after the fact.

Part Two: Assessing Human Rights Risks in Client and Project Relationships

Why Client and Project Relationships Require Specific Attention

The saliency assessment in the Saliency Addendum looks at human rights risks across our operations at a high level. Part One of this Addendum describes how to handle specific concerns as they arise. This Part Two addresses a third layer: specific client relationships and projects that may carry their own human rights implications, independent of any concern that has been raised.

Posit builds tools that are used to work with data at scale. In most cases, we believe that the use is entirely benign, such as researchers, educators, and data practitioners doing legitimate, valuable work. But some potential client relationships or project contexts could put our products in service of ends that raise serious human rights questions. We have a responsibility to think about those situations before we enter into them, not after.

This does not mean treating every client relationship as a human rights risk. It means having a clear, consistent process for identifying the relationships that warrant closer scrutiny, and actually applying that scrutiny.

The Assessment Process

Identifying Relationships That Warrant Review

Not every prospective client or project requires a formal human rights assessment. The following factors should prompt one:

  • We are aware that the client operates in a sector or context with known human rights concerns.
  • We are aware that the client is based in or operates significantly in a country where the rule of law, freedom of expression, or labor protections are materially weaker than our baseline expectations.
  • We are aware that the intended use case involves processing personal data about individuals at scale, making or informing decisions that affect individuals’ rights or opportunities, or enabling capabilities that could be repurposed for surveillance or tracking.
  • The project is large enough or distinctive enough in its application that it would be among our three most material client relationships or projects in the relevant year.
  • A concern has been raised internally or externally about the client or proposed use.

Where any of these factors are present, the commercial lead is responsible for flagging the relationship for human rights review before the engagement is finalized.

Conducting the Assessment

The General Counsel, with input from the commercial lead and, where relevant, People Operations or technical leads, conducts the assessment. The assessment asks:

  • What is the client’s intended use of Posit’s products or services, and what are the realistic ways in which that use could affect the rights or wellbeing of individuals?
  • Who are the people most likely to be affected, and what is the nature of the risk to them? The assessment should name specific groups where possible rather than speaking only in the abstract.
  • What is the severity of the potential impact (using the framework in Part One), and how likely is it to occur?
  • Does Posit cause or contribute to the harm directly, or are we linked to it through the client’s own activities? Our responsibility, as well as the appropriate response, differs depending on the answer.
  • Are there contractual or operational measures that could meaningfully reduce the risk? If so, are they ones the client is willing to accept?

Mitigation

Where an assessment identifies potential negative impacts, Posit should consider what can be done to prevent or reduce them before deciding whether to proceed with the relationship. Mitigation measures might include:

  • Contractual use restrictions that prohibit the client from using our products in ways that create human rights risks, with appropriate audit rights.
  • Technical constraints on the deployment or configuration of our tools.
  • Requiring the client to implement specific safeguards as a condition of the relationship.
  • Limiting the scope of the engagement to aspects that do not carry the identified risk.
  • Enhanced monitoring of the relationship and a clear process for review if concerns arise during the engagement.

Not every identified risk can be mitigated adequately. Where the assessment concludes that the potential harm is serious and that available mitigation measures are insufficient, Posit will consider declining the engagement. The General Counsel makes this recommendation; where the decision involves a material commercial relationship, it should be escalated to senior leadership for a final decision.

Recording and Reviewing Our Assessments

Each year, Posit should document the human rights assessment for its three most material client relationships or projects. The documentation should record:

  • The nature of the client relationship or project and the intended use of Posit’s products or services.
  • The specific potential negative impacts identified, the groups affected, and the severity and likelihood assessment applied to each.
  • Whether mitigation measures were identified and, if so, what they were.
  • The outcome of the assessment, such as whether Posit proceeded with the engagement, declined it, or proceeded subject to conditions, along with the rationale.
  • For ongoing relationships: whether the mitigation measures that were put in place have been effective, and whether any new concerns have arisen.

This documentation is maintained by the General Counsel and reviewed annually. It forms part of the foundation for our periodic saliency assessment under the Saliency Addendum and is available to the Board on request. Material findings are reflected in our PBC Report and B Corp recertification materials.

This policy is a living document and may be updated as our community and regulatory environment evolve.

Last Update: 2026