The policies and procedures in this documentation set are designed to satisfy the controls of the frameworks listed below. Specific control mappings are maintained in Vanta.
Active commitments: SOC 2 Type II and ISO/IEC 27001:2022. FedRAMP and DoD IL5 are on the near-term roadmap; neither is a current commitment.
SOC 2 Type II
Neuroscale is pursuing a SOC 2 Type II report, attesting to the design and operating effectiveness of controls over the Trust Services Criteria — Security (always in scope) and additional criteria as the business requires (Availability, Confidentiality, Processing Integrity, Privacy).
Initial Type II window scope (June 22 – September 22, 2026): Security only. The additional criteria (Availability, Confidentiality, Privacy) are scoped into the first subsequent Type II window (September 22, 2026 – September 22, 2027) when the corresponding controls have a documented operating history. Processing Integrity is not in scope in any window.
| Criteria | Initial Type II (Jun – Sep 2026) | First subsequent Type II (Sep 2026 – Sep 2027) | Notes |
|---|
| Security | Yes | Yes | Common Criteria; baseline of any SOC 2 report. |
| Availability | No (deferred) | Yes | Covers customer-facing service uptime; aligns with the Business Continuity Policy and Neuroscale’s customer DPA commitments. Added in the subsequent window when the customer SLA + uptime-monitoring evidence have operating history. |
| Confidentiality | No (deferred) | Yes | Customer data treated as Confidential per the Data Management Policy. Added in the subsequent window when per-workload C1.x evidence is in place. |
| Processing Integrity | No | No | Not in scope; Neuroscale is not a transaction-processing service, and the cost of testing business-logic correctness is not warranted at the current product stage. |
| Privacy | No (deferred) | Yes | Provides independent attestation of GDPR / CCPA-aligned controls in addition to the program documentation maintained by the General Counsel (acting as Privacy Officer). Added in the subsequent window when per-criterion P1–P9 controls have a documented operating history. |
Why descope for the initial window: the initial Type II observation window is 3 months, opening only ~6.5 weeks after policy effective date. The Controls Inventory was designed against the Common Criteria; standing up the ~30–40 additional control rows required for A/C/P operating-effectiveness evidence in that timeframe was determined by management (per the ISMS Management Review) to add audit risk rather than reduce it. A Security-only initial report puts attested coverage in customers’ hands fast; the subsequent window expands scope on the cadence the program can sustain.
Audit firm: Advantage Partners, engaged through Vanta’s audit-firm partner network. Report sequence:
- Type I (point-in-time) as of June 22, 2026 — the same day the initial Type II observation window opens. Type I fieldwork June 22 – late July 2026; Type I report issuance ~late August 2026.
- Initial Type II — short observation window of June 22, 2026 – September 22, 2026 (three months). Fieldwork in September 2026; report delivered the following month. The abbreviated initial window is by design — it puts an attested Type II report in customers’ hands within ~four months of Type I instead of waiting a full year, and Advantage Partners has agreed to the shortened initial cycle. Type I observation and the initial Type II observation window open on the same day (June 22, 2026) and run in parallel, so the Type I point-in-time picture and the first day of Type II operating-effectiveness evidence describe the same control design.
- Subsequent Type II — rolling 12-month windows that pick up where the prior report’s window ended, with no gap. The first subsequent window is September 22, 2026 – September 22, 2027; fieldwork in September 2027, report the following month. Each annual cycle thereafter runs Sep 22 → Sep 22.
This produces gap-free attested coverage from June 22, 2026 onward. The Compliance Calendar carries the milestone dates.
ISO 27001
Neuroscale is pursuing ISO/IEC 27001:2022 certification — the current revision of the international information-security management system (ISMS) standard. The company targets the 2022 revision only; ISO/IEC 27001:2013 has been withdrawn and certification bodies no longer issue certificates against it, so it is not a separate roadmap target. Many of the controls that satisfy SOC 2 also satisfy ISO 27001 Annex A:2022. Where they differ, Neuroscale’s policies note the additional ISO requirements.
Statement of Applicability (SoA). All 93 Annex A:2022 controls are mapped — applicability, justification, and the implementing document — in the ISO/IEC 27001:2022 Statement of Applicability. The SoA is reconciled with the Controls Inventory (the SOC 2 TSC-mapped operational list) and reviewed at each ISMS Management Review.
Certification dependency. The principal gap to certification is the clause 9.2 internal audit function: ISO certification bodies require an internal audit independent of the audited activity, and the SOC 2 compensating controls (VGC governance review, CEO attestation) do not substitute for it. Standing up that function — an independent internal auditor or a contracted third party — is the gating item for the ISO track and is tracked internally.
FedRAMP & DoD IL5 (near-term roadmap)
FedRAMP and DoD Impact Level 5 (IL5) are on the near-term roadmap. Neither is a current commitment. Neuroscale has federal customers across civilian, defense, and law-enforcement missions, and none of them currently require FedRAMP authorization for the services Neuroscale provides. DoD IL5 is anticipated as DoD-side scope expands and Neuroscale plans to address it in the near term.
FedRAMP-Moderate adds significant requirements above SOC 2 / ISO 27001 — FIPS 140-2/3 cryptography, US-only personnel for some roles, NIST 800-53 control depth, and a 3PAO assessment. IL5 layers DoD SRG (CC/SCG) requirements on top of FedRAMP High, including additional personnel-screening, network-isolation, and US-sovereign infrastructure constraints.
When Neuroscale pursues FedRAMP and/or IL5 authorization, the relevant policies will be updated; today’s policies satisfy the SOC 2 and ISO 27001:2022 baseline only.
Other regimes
| Regime | Status | Owner |
|---|
| GDPR | Applicable for EU data subjects | General Counsel (acting as DPO; mandatory Art. 37 appointment not currently triggered — see Roles & Responsibilities → Regulatory aliases) |
| CCPA / CPRA | Applicable for California residents | General Counsel (acting as Privacy Officer) |
| US state privacy laws (VCDPA, CPA, CTDPA, TDPSA, and analogous statutes) | Applicable for residents of enacting states; operationalized through the Data Subject Rights Procedure and Privacy Notice | General Counsel (acting as Privacy Officer) |
| EU AI Act | Art. 50 transparency obligations apply to AI features interacting with natural persons; Annex III high-risk (employment AI) analysis required before any EU market placement — see AI Acceptable Use Policy and the AI Model Registry | General Counsel + CTO |
| ISO/IEC 42001 (AI management system) | Roadmap — AIMS certification planned to follow ISO 27001; AIMS anchored in the AI Acceptable Use Policy → AI Management System with all 38 Annex A controls mapped in the AIMS Statement of Applicability | CTO (AIMS Owner) + GC |
| PCI DSS | Not applicable — Neuroscale does not store or process cardholder data | — |
SOC 2 system boundary and subservice organizations
The SOC 2 system description scope encompasses the people, processes, and technology used by Neuroscale to deliver the production services described in the customer DPA and Trust Center. Components in scope:
- Infrastructure — AWS US (primary cloud) and Vultr US (secondary cloud) regions used for production workloads; Neuroscale-managed Vault cluster on Vultr (HashiCorp Vault Transit + KV); production endpoints managed via Rippling.
- Software — the Arbi service code-base (versioned in GitHub, built and deployed via the engineering CI/CD pipeline), Vault, Cloudflare One (Access + Gateway), Better Stack (logs + on-call), Vanta (compliance management), Microsoft 365 (collaboration), Linear (work management), Dashlane (workforce password manager), Tailscale (production-infrastructure access for operators).
- People — Neuroscale workforce in scope per the Roles & Responsibilities Policy; contractors are in scope where engaged on Confidential systems.
- Procedures — the policies and procedures in this documentation set.
- Data — Customer-uploaded content, Customer account / authentication data, sourcing-graph data, operational telemetry, and audit logs.
The audit follows a carve-out method for the following subservice organizations:
| Subservice | Service provided | Carve-out scope | Complementary user-entity / sub-service controls relied on |
|---|
| AWS | Cloud infrastructure (compute, storage, network, KMS) | Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availability | AWS SOC 1 / SOC 2 / ISO 27001 reports reviewed annually under the Vendor Risk Assessment |
| Vultr | Cloud infrastructure (compute, storage, network) | Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availability | Vultr attestations reviewed annually under the Vendor Risk Assessment |
| Rippling | IdP / SSO / HRIS / MDM / EDR | Identity-of-record, mobile-device management, endpoint protection back-end | Rippling SOC 2 reviewed annually |
| Microsoft 365 | Email and collaboration | Productivity-suite back-end (mail flow, document storage) | Microsoft SOC 2 / ISO reports reviewed annually |
| Vanta | Compliance management platform | Compliance evidence collection back-end | Vanta SOC 2 reviewed annually |
| Cloudflare | Zero-trust network access (Cloudflare One), DNS, and WAF | Edge network controls and DDoS mitigation | Cloudflare SOC 2 / ISO reports reviewed annually |
| Better Stack | Log aggregation, uptime monitoring, on-call | Log delivery and on-call paging back-end | Better Stack security posture reviewed annually |
| Anthropic / OpenAI / xAI / Cerebras | Hosted AI inference | Model-hosting infrastructure | Per provider DPA and the AI provider tier in Third-Party Management |
Complementary user-entity controls (CUECs). Customers are responsible for: (i) configuring and protecting their own administrator accounts; (ii) managing their users’ access to the Neuroscale services; (iii) maintaining the human-oversight requirements applicable to their use of AI Outputs (see the Trust Center and the Privacy Notice); (iv) any AEDT / employment-AI obligations that attach to the deployer (NYC Local Law 144, Illinois HB 3773, Maryland HB 1202, Colorado AI Act, CA ADMT, EU AI Act Art. 26); and (v) ensuring lawful basis and any required transparency for the personal data they submit to the services.
How controls are tested
- Continuous — Vanta integrations check IaC, identity, endpoint, and SaaS configurations daily.
- Quarterly — Access reviews, risk-register review, backup-restore test (per data store), ISMS Management Review.
- Annual — Risk assessment, full BC/DR exercise, incident-response tabletop, penetration test, policy re-acknowledgement.
Initial Type II window scope. For the initial 3-month Type II window (June 22 – September 22, 2026), several annual controls do not naturally cycle inside the window. The Annual Controls — First-Cycle Treatment register documents which annual controls were intentionally pulled into the initial window (pen-test, risk assessment, data-retention review, legal-hold review, cloud-service-agreement review, supplier service-delivery review, AWS shared-responsibility review, six High-tier vendor reviews, per-class key rotations) and which are design-only with first cycle in the first subsequent 12-month window (full DR exercise, IR tabletop, annual policy re-ack, annual training cycle, network-security assessment, etc.).
Audit evidence
Audit evidence (signed acknowledgements, access-review sign-offs, change tickets, training completion records, vendor due-diligence packets, incident tickets, RCA documents) is collected and retained per the Data Retention Matrix and stored in Vanta and the SharePoint evidence library.
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |