The policies and procedures in this documentation set are designed to satisfy the controls of the frameworks listed below. Specific control mappings are maintained in Vanta.
Active commitments: SOC 2 Type II and ISO/IEC 27001:2022. FedRAMP and DoD IL5 are on the near-term roadmap; neither is a current commitment.

SOC 2 Type II

Neuroscale is pursuing a SOC 2 Type II report, attesting to the design and operating effectiveness of controls over the Trust Services Criteria — Security (always in scope) and additional criteria as the business requires (Availability, Confidentiality, Processing Integrity, Privacy). Initial Type II window scope (June 22 – September 22, 2026): Security only. The additional criteria (Availability, Confidentiality, Privacy) are scoped into the first subsequent Type II window (September 22, 2026 – September 22, 2027) when the corresponding controls have a documented operating history. Processing Integrity is not in scope in any window.
CriteriaInitial Type II (Jun – Sep 2026)First subsequent Type II (Sep 2026 – Sep 2027)Notes
SecurityYesYesCommon Criteria; baseline of any SOC 2 report.
AvailabilityNo (deferred)YesCovers customer-facing service uptime; aligns with the Business Continuity Policy and Neuroscale’s customer DPA commitments. Added in the subsequent window when the customer SLA + uptime-monitoring evidence have operating history.
ConfidentialityNo (deferred)YesCustomer data treated as Confidential per the Data Management Policy. Added in the subsequent window when per-workload C1.x evidence is in place.
Processing IntegrityNoNoNot in scope; Neuroscale is not a transaction-processing service, and the cost of testing business-logic correctness is not warranted at the current product stage.
PrivacyNo (deferred)YesProvides independent attestation of GDPR / CCPA-aligned controls in addition to the program documentation maintained by the General Counsel (acting as Privacy Officer). Added in the subsequent window when per-criterion P1–P9 controls have a documented operating history.
Why descope for the initial window: the initial Type II observation window is 3 months, opening only ~6.5 weeks after policy effective date. The Controls Inventory was designed against the Common Criteria; standing up the ~30–40 additional control rows required for A/C/P operating-effectiveness evidence in that timeframe was determined by management (per the ISMS Management Review) to add audit risk rather than reduce it. A Security-only initial report puts attested coverage in customers’ hands fast; the subsequent window expands scope on the cadence the program can sustain. Audit firm: Advantage Partners, engaged through Vanta’s audit-firm partner network. Report sequence:
  1. Type I (point-in-time) as of June 22, 2026 — the same day the initial Type II observation window opens. Type I fieldwork June 22 – late July 2026; Type I report issuance ~late August 2026.
  2. Initial Type II — short observation window of June 22, 2026 – September 22, 2026 (three months). Fieldwork in September 2026; report delivered the following month. The abbreviated initial window is by design — it puts an attested Type II report in customers’ hands within ~four months of Type I instead of waiting a full year, and Advantage Partners has agreed to the shortened initial cycle. Type I observation and the initial Type II observation window open on the same day (June 22, 2026) and run in parallel, so the Type I point-in-time picture and the first day of Type II operating-effectiveness evidence describe the same control design.
  3. Subsequent Type II — rolling 12-month windows that pick up where the prior report’s window ended, with no gap. The first subsequent window is September 22, 2026 – September 22, 2027; fieldwork in September 2027, report the following month. Each annual cycle thereafter runs Sep 22 → Sep 22.
This produces gap-free attested coverage from June 22, 2026 onward. The Compliance Calendar carries the milestone dates.

ISO 27001

Neuroscale is pursuing ISO/IEC 27001:2022 certification — the current revision of the international information-security management system (ISMS) standard. The company targets the 2022 revision only; ISO/IEC 27001:2013 has been withdrawn and certification bodies no longer issue certificates against it, so it is not a separate roadmap target. Many of the controls that satisfy SOC 2 also satisfy ISO 27001 Annex A:2022. Where they differ, Neuroscale’s policies note the additional ISO requirements. Statement of Applicability (SoA). All 93 Annex A:2022 controls are mapped — applicability, justification, and the implementing document — in the ISO/IEC 27001:2022 Statement of Applicability. The SoA is reconciled with the Controls Inventory (the SOC 2 TSC-mapped operational list) and reviewed at each ISMS Management Review. Certification dependency. The principal gap to certification is the clause 9.2 internal audit function: ISO certification bodies require an internal audit independent of the audited activity, and the SOC 2 compensating controls (VGC governance review, CEO attestation) do not substitute for it. Standing up that function — an independent internal auditor or a contracted third party — is the gating item for the ISO track and is tracked internally.

FedRAMP & DoD IL5 (near-term roadmap)

FedRAMP and DoD Impact Level 5 (IL5) are on the near-term roadmap. Neither is a current commitment. Neuroscale has federal customers across civilian, defense, and law-enforcement missions, and none of them currently require FedRAMP authorization for the services Neuroscale provides. DoD IL5 is anticipated as DoD-side scope expands and Neuroscale plans to address it in the near term. FedRAMP-Moderate adds significant requirements above SOC 2 / ISO 27001 — FIPS 140-2/3 cryptography, US-only personnel for some roles, NIST 800-53 control depth, and a 3PAO assessment. IL5 layers DoD SRG (CC/SCG) requirements on top of FedRAMP High, including additional personnel-screening, network-isolation, and US-sovereign infrastructure constraints. When Neuroscale pursues FedRAMP and/or IL5 authorization, the relevant policies will be updated; today’s policies satisfy the SOC 2 and ISO 27001:2022 baseline only.

Other regimes

RegimeStatusOwner
GDPRApplicable for EU data subjectsGeneral Counsel (acting as DPO; mandatory Art. 37 appointment not currently triggered — see Roles & Responsibilities → Regulatory aliases)
CCPA / CPRAApplicable for California residentsGeneral Counsel (acting as Privacy Officer)
US state privacy laws (VCDPA, CPA, CTDPA, TDPSA, and analogous statutes)Applicable for residents of enacting states; operationalized through the Data Subject Rights Procedure and Privacy NoticeGeneral Counsel (acting as Privacy Officer)
EU AI ActArt. 50 transparency obligations apply to AI features interacting with natural persons; Annex III high-risk (employment AI) analysis required before any EU market placement — see AI Acceptable Use Policy and the AI Model RegistryGeneral Counsel + CTO
ISO/IEC 42001 (AI management system)Roadmap — AIMS certification planned to follow ISO 27001; AIMS anchored in the AI Acceptable Use Policy → AI Management System with all 38 Annex A controls mapped in the AIMS Statement of ApplicabilityCTO (AIMS Owner) + GC
PCI DSSNot applicable — Neuroscale does not store or process cardholder data

SOC 2 system boundary and subservice organizations

The SOC 2 system description scope encompasses the people, processes, and technology used by Neuroscale to deliver the production services described in the customer DPA and Trust Center. Components in scope:
  • Infrastructure — AWS US (primary cloud) and Vultr US (secondary cloud) regions used for production workloads; Neuroscale-managed Vault cluster on Vultr (HashiCorp Vault Transit + KV); production endpoints managed via Rippling.
  • Software — the Arbi service code-base (versioned in GitHub, built and deployed via the engineering CI/CD pipeline), Vault, Cloudflare One (Access + Gateway), Better Stack (logs + on-call), Vanta (compliance management), Microsoft 365 (collaboration), Linear (work management), Dashlane (workforce password manager), Tailscale (production-infrastructure access for operators).
  • People — Neuroscale workforce in scope per the Roles & Responsibilities Policy; contractors are in scope where engaged on Confidential systems.
  • Procedures — the policies and procedures in this documentation set.
  • Data — Customer-uploaded content, Customer account / authentication data, sourcing-graph data, operational telemetry, and audit logs.
The audit follows a carve-out method for the following subservice organizations:
SubserviceService providedCarve-out scopeComplementary user-entity / sub-service controls relied on
AWSCloud infrastructure (compute, storage, network, KMS)Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availabilityAWS SOC 1 / SOC 2 / ISO 27001 reports reviewed annually under the Vendor Risk Assessment
VultrCloud infrastructure (compute, storage, network)Physical and environmental, data-center operations, hypervisor isolation, hardware crypto, low-level network and storage availabilityVultr attestations reviewed annually under the Vendor Risk Assessment
RipplingIdP / SSO / HRIS / MDM / EDRIdentity-of-record, mobile-device management, endpoint protection back-endRippling SOC 2 reviewed annually
Microsoft 365Email and collaborationProductivity-suite back-end (mail flow, document storage)Microsoft SOC 2 / ISO reports reviewed annually
VantaCompliance management platformCompliance evidence collection back-endVanta SOC 2 reviewed annually
CloudflareZero-trust network access (Cloudflare One), DNS, and WAFEdge network controls and DDoS mitigationCloudflare SOC 2 / ISO reports reviewed annually
Better StackLog aggregation, uptime monitoring, on-callLog delivery and on-call paging back-endBetter Stack security posture reviewed annually
Anthropic / OpenAI / xAI / CerebrasHosted AI inferenceModel-hosting infrastructurePer provider DPA and the AI provider tier in Third-Party Management
Complementary user-entity controls (CUECs). Customers are responsible for: (i) configuring and protecting their own administrator accounts; (ii) managing their users’ access to the Neuroscale services; (iii) maintaining the human-oversight requirements applicable to their use of AI Outputs (see the Trust Center and the Privacy Notice); (iv) any AEDT / employment-AI obligations that attach to the deployer (NYC Local Law 144, Illinois HB 3773, Maryland HB 1202, Colorado AI Act, CA ADMT, EU AI Act Art. 26); and (v) ensuring lawful basis and any required transparency for the personal data they submit to the services.

How controls are tested

  • Continuous — Vanta integrations check IaC, identity, endpoint, and SaaS configurations daily.
  • QuarterlyAccess reviews, risk-register review, backup-restore test (per data store), ISMS Management Review.
  • Annual — Risk assessment, full BC/DR exercise, incident-response tabletop, penetration test, policy re-acknowledgement.
Initial Type II window scope. For the initial 3-month Type II window (June 22 – September 22, 2026), several annual controls do not naturally cycle inside the window. The Annual Controls — First-Cycle Treatment register documents which annual controls were intentionally pulled into the initial window (pen-test, risk assessment, data-retention review, legal-hold review, cloud-service-agreement review, supplier service-delivery review, AWS shared-responsibility review, six High-tier vendor reviews, per-class key rotations) and which are design-only with first cycle in the first subsequent 12-month window (full DR exercise, IR tabletop, annual policy re-ack, annual training cycle, network-security assessment, etc.).

Audit evidence

Audit evidence (signed acknowledgements, access-review sign-offs, change tickets, training completion records, vendor due-diligence packets, incident tickets, RCA documents) is collected and retained per the Data Retention Matrix and stored in Vanta and the SharePoint evidence library.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani