The policies and procedures in this site are designed to satisfy the controls of the frameworks listed below. Specific control mappings are maintained in Vanta.
Active commitments: SOC 2 Type II and ISO/IEC 27001:2022. FedRAMP is on the long-term roadmap and is not a current commitment.
SOC 2 Type II
Neuroscale is pursuing a SOC 2 Type II report, attesting to the design and operating effectiveness of controls over the Trust Services Criteria — Security (always in scope) and additional criteria as the business requires (Availability, Confidentiality, Processing Integrity, Privacy).
| Criteria | In scope | Notes |
|---|
| Security | Yes | Common Criteria; baseline of any SOC 2 report. |
| Availability | Yes | Covers customer-facing service uptime; aligns with the Business Continuity Policy and Neuroscale’s customer DPA commitments. |
| Confidentiality | Yes | Customer data treated as Confidential per the Data Management Policy. |
| Processing Integrity | No | Not in scope; Neuroscale is not a transaction-processing service, and the cost of testing business-logic correctness is not warranted at the current product stage. |
| Privacy | Yes | Tag-along scope; provides independent attestation of GDPR / CCPA-aligned controls in addition to the program documentation maintained by the General Counsel (acting as Privacy Officer). |
ISO 27001
Neuroscale is also pursuing ISO/IEC 27001 certification — an international information-security management system (ISMS) standard. Many of the controls that satisfy SOC 2 also satisfy ISO 27001 Annex A. Where they differ, our policies note the additional ISO requirements.
Statement of Applicability (SoA): the live SoA is maintained in Vanta and reconciled to the Controls Inventory on each policy or control change. Current SoA decisions (controls applicable, not applicable with justification, and the responsible owner) are exported with each annual ISMS review.
FedRAMP (future)
FedRAMP is on the long-term roadmap. It is not a current commitment. FedRAMP-Moderate adds significant requirements above SOC 2 / ISO 27001 — FIPS 140-2/3 cryptography, US-only personnel for some roles, NIST 800-53 control depth, and a 3PAO assessment.
If/when Neuroscale pursues FedRAMP, the relevant policies will be updated; today’s policies satisfy the SOC 2 and ISO 27001 baseline only.
Other regimes
| Regime | Status | Owner |
|---|
| GDPR | Applicable for EU data subjects | General Counsel (acting as DPO; mandatory Art. 37 appointment not currently triggered — see Roles & Responsibilities → Regulatory titles) |
| CCPA / CPRA | Applicable for California residents | General Counsel (acting as Privacy Officer) |
| PCI DSS | Not applicable — Neuroscale does not store or process cardholder data | — |
SOC 2 system boundary and subservice organizations
The SOC 2 system description scope encompasses the people, processes, and technology used by Neuroscale to deliver the production services described in the customer DPA and Trust Center. Components in scope:
- Infrastructure — AWS US (primary cloud) and Vultr US (secondary cloud) regions used for production workloads; Neuroscale-managed Vault cluster on Vultr (HashiCorp Vault Transit + KV); production endpoints managed via Rippling.
- Software — the Arbi service code-base (versioned in GitHub, built and deployed via the engineering CI/CD pipeline), Vault, Cloudflare One (Access + Gateway), Better Stack (logs + on-call), Vanta (compliance management), Microsoft 365 (collaboration), Linear (work management), Dashlane (password management), Tailscale (production-infrastructure access for operators).
- People — Neuroscale workforce in scope per the Roles & Responsibilities Policy; contractors are in scope where engaged on Confidential systems.
- Procedures — the policies and procedures published in this site.
- Data — Customer-uploaded content, Customer account / authentication data, sourcing-graph data, operational telemetry, and audit logs.
The audit follows a carve-out method for the following subservice organizations:
| Subservice | Service provided | Carve-out scope | Complementary user-entity / sub-service controls relied on |
|---|
| AWS | Cloud infrastructure (compute, storage, network, KMS) | Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availability | AWS SOC 1 / SOC 2 / ISO 27001 reports reviewed annually under the Vendor Risk Assessment |
| Vultr | Cloud infrastructure (compute, storage, network) | Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availability | Vultr attestations reviewed annually under the Vendor Risk Assessment |
| Rippling | IdP / SSO / HRIS / MDM / EDR | Identity-of-record, mobile-device management, endpoint protection back-end | Rippling SOC 2 reviewed annually |
| Microsoft 365 | Email and collaboration | Productivity-suite back-end (mail flow, document storage) | Microsoft SOC 2 / ISO reports reviewed annually |
| Vanta | Compliance management platform | Compliance evidence collection back-end | Vanta SOC 2 reviewed annually |
| Cloudflare | Zero-trust network access (Cloudflare One), DNS, and WAF | Edge network controls and DDoS mitigation | Cloudflare SOC 2 / ISO reports reviewed annually |
| Better Stack | Log aggregation, uptime monitoring, on-call | Log delivery and on-call paging back-end | Better Stack security posture reviewed annually |
| Anthropic / OpenAI / xAI / Cerebras | Hosted AI inference | Model-hosting infrastructure | Per provider DPA and the AI provider tier in Third-Party Management |
How controls are tested
- Continuous — Vanta integrations check IaC, identity, endpoint, and SaaS configurations daily.
- Quarterly — Access reviews, risk-register review.
- Annual — Risk assessment, BC/DR test, incident-response tabletop, penetration test, policy re-acknowledgement.
Audit evidence
Audit evidence (signed acknowledgements, access-review sign-offs, change tickets, training completion records, vendor due-diligence packets, incident tickets, RCA documents) is collected and retained per the Data Retention Matrix and stored in Vanta and the SharePoint evidence library.
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
