This page is the canonical mapping between named roles and the responsibilities, decisions, and approvals that are scattered across the policy library. It is the operational truth-of-record — distinct from the Information Security Roles & Responsibilities Policy, which states the principle of role assignment. Update this page in the same PR as any policy change that adds, removes, or shifts a responsibility — otherwise the policies and the personnel matrix drift out of sync.
Role taxonomy
Neuroscale uses a deliberately small role set. Three tiers, plus regulatory aliases.
| Tier | Roles | Purpose |
|---|
| Tier 1 — Executive (6) | CEO · CTO · CISO · CFO · General Counsel · CHRO | Final accountability for their function. The buck stops here. |
| Tier 2 — Operational (6) | Engineering Lead · Engineering On-call · Security On-call · Incident Manager · System Owner · Data Owner | Day-to-day ownership where segregation-of-duties matters. Today most are filled by an executive (noted below); they split out as the company grows. |
| Tier 3 — Label descriptors (4) | Manager · Hiring Manager · Risk Owner · Vendor Owner | Relational labels used in policy text. Not roles you’d staff — just descriptions of who’s accountable for a specific item. |
| Governance bodies (2) | Board of Directors · Executive Team | Collective decision-making bodies. |
Personnel directory
Who currently fills each role. **(todo: name)** and **(todo: email)** mark slots to fill in once the position is staffed. The Email column is the named individual’s direct address — group aliases (security@, legal@, etc.) live in Email & shared contact aliases below.
Tier 1 — Executive
| Role | Holder | Backup | Reports to | Email |
|---|
| CEO | Ishan Jadhwani | Board | Board of Directors | ishan.jadhwani@neuroscale.ai |
| CTO | Cameron Wolfe | CEO | CEO | cameron.wolfe@neuroscale.ai |
| CISO | Cameron Wolfe | CEO | CEO | cameron.wolfe@neuroscale.ai |
| CFO | Sayantani Nandy | CEO | CEO | sayantani.nandy@neuroscale.ai |
| General Counsel | VGC LLP (outside counsel of record; primary contact Brandt Mori; other engagement principals Avery B. Kotler, James L. Greeley) | Brandt Mori — bmori@vgcllp.com | CEO | legal@neuroscale.ai (routes to firm); firm general intake info@vgcllp.com |
| CHRO | Sayantani Nandy | CEO | CEO | sayantani.nandy@neuroscale.ai |
Role concentration. Cameron Wolfe holds CTO + CISO; Sayantani Nandy holds CFO + CHRO. SoD analysis and compensating controls: Role concentration & compensating controls. Executive-escalation backup is the CEO; operational backup is the relevant Tier-2 lead. Tier 2 — Operational
Today most operational roles are filled by an executive. As Neuroscale grows these split out, and this table is updated.
| Role | Currently held by | Splits out when | Backup |
|---|
| Engineering Lead | CTO | A VP Engineering or Director of Engineering is hired | Engineering On-call; CEO if executive escalation needed (CTO + CISO are one person today) |
| Engineering On-call | Better Stack rotation among senior engineers | — (already a rotation) | Secondary on-call |
| Security On-call | CISO | A security engineer is hired | Engineering On-call; CEO if executive escalation needed (CTO + CISO are one person today) |
| Incident Manager | Default = CISO; on-call IRT lead acts when CISO unavailable | Always a per-incident assignment; no permanent split | Engineering On-call lead |
| System Owner | Per system — the named accountable engineer in the Vanta asset inventory | — (always per-system) | Engineering Lead |
| Data Owner | Per data domain — see table below | — (always per-domain) | CISO (security data) |
Data-owner assignments (by domain)
| Data domain | Owner |
|---|
| Customer / product data | CTO |
| Source code, secrets, infra | CTO |
| Financial / banking / billing data | CFO |
| HR / employee data | CHRO |
| Legal / contracts / litigation data | General Counsel |
| Security event / incident / risk data | CISO |
| Marketing / public-website data | Marketing lead (Hanna Gillas); CEO as exec sponsor |
Functional leads (non-InfoSec)
Named functional leads outside the Tier-1 InfoSec taxonomy who own audit-relevant data or processes (e.g., marketing-consent records under GDPR Art. 7(1) and CAN-SPAM).
| Function | Holder | Reports to | Email |
|---|
| Marketing | Hanna Gillas | CEO | hanna.gillas@neuroscale.ai |
Tier 3 — Label descriptors
These appear in policy text but aren’t roles you’d staff. Each resolves to a specific person depending on context.
| Label | Meaning | Resolves to |
|---|
| Manager | An employee’s direct supervisor | Per-employee (HR system of record) |
| Hiring Manager | The person who opened the requisition for a role | Per-req |
| Risk Owner | The exec accountable for a specific entry in the risk register | Per-risk (an executive — usually the function lead) |
| Vendor Owner | The employee who sponsors a vendor relationship | Per-vendor (the requestor on the vendor-risk-assessment intake) |
Governance bodies
| Body | Members | Purpose |
|---|
| Board of Directors | Ishan Jadhwani | Cyber-risk oversight; reviews InfoSec, privacy, compliance posture annually |
| Executive Team | CEO (Ishan Jadhwani), CTO/CISO (Cameron Wolfe), CFO/CHRO (Sayantani Nandy), General Counsel (outside counsel) | Risk acceptance, breach determination, BC/DR activation, capital approval. Three named individuals plus outside GC, reflecting the role concentrations in Role concentration & compensating controls. |
| Alias | Routes to | Use for |
|---|
| security@neuroscale.ai | CISO + Security On-call | Security incidents, suspected compromise, vulnerability reports |
| legal@neuroscale.ai | General Counsel | Legal matters, contract questions, breach-notification questions |
| privacy@neuroscale.ai | General Counsel (acting as DPO / Privacy Officer) | Data-subject requests, privacy questions, DPIAs |
| ethics@neuroscale.ai | General Counsel + CHRO | Ethics complaints, Code-of-Conduct concerns, whistleblower reports |
| helpdesk@neuroscale.ai | CISO (acting as IT Manager) | IT support, account/access requests, lost devices |
| trust@neuroscale.ai | CISO + CEO | Customer trust / SOC 2 / ISO 27001 inquiries from prospects and customers |
| people@neuroscale.ai | CHRO + (Hiring Manager for candidate matters) | All HR / People-Operations matters: workplace-violence non-emergency reports, HR complaints, applicant and candidate correspondence, background-check / FCRA / adverse-action responses, personnel-data contact for the CA Applicant Privacy Notice |
| press@neuroscale.ai | CEO (or designated spokesperson) | Inbound press / media inquiries — employees forward without comment per Customer Communications |
Responsibility matrix
Every distinct responsibility found in the policy and procedure library, mapped to the role(s) that own it. Primary is accountable; Secondary is consulted or steps in when primary is unavailable.
Governance & oversight
| Responsibility | Primary | Secondary | Source |
|---|
| Cyber-risk and internal-control oversight | Board of Directors | Executive Team | Roles & Responsibilities |
| Approve capital expenditure for security & privacy programs | Executive Team | CEO | Roles & Responsibilities |
| Align security/privacy posture with mission & risk appetite | Executive Team | CEO | Roles & Responsibilities |
| Communication path from InfoSec program to Board | CISO | CEO | Roles & Responsibilities |
| Acceptance & treatment of any organizational risk | CEO | CISO | Risk Management |
| Approve avoidance / remediation / transference / acceptance of items in the Risk Register | CISO | CEO | Risk Management |
| Annual risk assessment + report to leadership | CISO | CTO | Risk Management |
| Maintain the risk register | CISO | Risk Owners (per entry) | Risk Management |
| Management commitment for the IR plan | Executive Team | CEO | Incident Response |
| Responsibility | Primary | Secondary | Source |
|---|
| Oversight of security-controls implementation | CISO | CTO | Roles & Responsibilities |
| Design / develop / operate / maintain / monitor security controls | CISO | Engineering Lead | Roles & Responsibilities |
| Coordinate development & maintenance of security policies & standards | CISO | General Counsel | Roles & Responsibilities |
| Liaison to Board, law enforcement, internal audit, General Counsel | CISO | CEO | Roles & Responsibilities |
| Identity management & access-control oversight | CISO | Engineering Lead | Access Control |
| Approve technical access & change requests for non-standard access | System Owner | CISO | Access Control |
| Maintain confidentiality / integrity / availability of owned systems | System Owner | CISO | Roles & Responsibilities |
| Quarterly access review (user / privileged / service) | CISO | System Owners | Access Reviews |
| Provisioning / deprovisioning execution | CISO | Engineering On-call | Access Management |
| Approve privileged-access elevation | CISO | System Owner | Access Management |
| Approve material changes to standard access bundles | CISO | Engineering Lead | Access Management |
| Asset-inventory ownership | System Owners | CISO | Asset Management |
| Endpoint protection / MDM / anti-malware operation | CISO | Engineering On-call | Operations Security |
| Backup operations & annual restore test | Engineering Lead | CISO | Operations Security |
| Logging / monitoring / alerting | Engineering Lead | CISO | Operations Security |
| Vulnerability scanning & pen-testing program | CISO | Engineering Lead | Operations Security |
| Key management (AWS KMS) | CISO | Engineering Lead | Cryptography |
| Full-disk encryption on endpoints | CISO | — | Cryptography |
| Maintain TLS / SSL Labs A grade on public endpoints | Engineering Lead | CISO | Cryptography |
| Office physical security (badging, visitor management) | CHRO | CISO | Physical Security |
| Anonymous-report intake (security weakness, policy violation) | CISO | General Counsel | Information Security |
Engineering & change management
| Responsibility | Primary | Secondary | Source |
|---|
| Oversight of InfoSec in the SDLC | Engineering Lead | CISO | Roles & Responsibilities |
| Significant code-change review/approval (PR review) | Engineer (other than author) | Engineering Lead | Secure Development |
| Production change-management approval | Engineering Lead | CISO | Operations Security |
| Approve use of customer data in non-production environments | CTO | CISO | Secure Development |
| Release-checklist sign-off prior to deploy | Engineering Lead | Engineering On-call | Release Checklist |
| Vulnerability remediation within SLA | Engineering Lead | CISO | Vulnerability Management |
| Secrets management (HashiCorp Vault — cross-cloud secrets-of-record) | Engineering Lead | CISO | Secrets Management |
| Annual secure-development training | CTO | CHRO | Secure Development |
| Outsourced-development supervision | Engineering Lead | CISO | Secure Development |
Customer & service delivery
| Responsibility | Primary | Secondary | Source |
|---|
| Operation of security tools/processes in customer prod environments | CTO | Engineering Lead | Roles & Responsibilities |
| Customer data retention & deletion execution | CTO | Engineering Lead | Data Retention Matrix |
| External / customer communications during a disaster | CEO (with CFO) | CTO | Business Continuity |
| Maintain continuity of services during a disaster | CTO | CISO | Business Continuity |
| Customer asset return after service termination | CTO | CFO | Asset Management |
People / HR
| Responsibility | Primary | Secondary | Source |
|---|
| Ensure employees & contractors are qualified and competent | CHRO | Hiring Manager | HR Security |
| Background checks (Checkr) | CHRO | CISO | Background Checks |
| Present policies & Code of Conduct to staff | CHRO | General Counsel | Roles & Responsibilities |
| Annual performance + Code-of-Conduct review | Manager | CHRO | HR Security |
| Annual security-awareness training (Vanta) | CHRO | CISO | HR Security |
| Code-of-Conduct enforcement | CHRO | CEO | Code of Conduct |
| Disciplinary process for policy violations | CHRO | Manager + CISO | HR Security |
| Onboarding workflow trigger and tracking | CHRO | CISO | Onboarding |
| Offboarding workflow trigger | CHRO | CISO | Offboarding |
| Internal communications during a disaster; physical health/safety | CHRO | CEO | Business Continuity |
| Function-lead communications during a disaster | Function lead (CTO/CFO/CHRO/etc.) | CHRO | Business Continuity |
Legal, compliance & privacy
| Responsibility | Primary | Secondary | Source |
|---|
| Determine if an incident has legal/regulatory exposure or is a reportable breach | General Counsel (with CEO + Executive Team) | CEO | Incident Response |
| Review & approve external breach notices in writing | General Counsel | CEO | Incident Response |
| Final breach determination if consensus cannot be reached | CEO | General Counsel | Incident Response |
| Legal-hold determination & tracking | General Counsel | CISO | Data Management |
| Data-retention period setting (in consultation with Legal) | Data Owner | General Counsel | Data Management |
| Compliance with contractual + regulatory commitments (SOC 2, ISO 27001, GDPR, CCPA) | CISO | General Counsel | Roles & Responsibilities |
| Privacy-impact assessment (DPIA) sign-off | General Counsel (acting as DPO) | CISO | DPIA |
| Data-subject request handling | General Counsel (acting as Privacy Officer) | CISO | Data Subject Rights |
| Whistleblower / ethics intake | General Counsel + CHRO | CEO | Whistleblower |
| Records retention for whistleblower reports | General Counsel | CHRO | Whistleblower |
| Cooperate with customers, controllers, regulators during incidents | General Counsel + Executive Team | CEO | Incident Response |
Finance & vendor management
| Responsibility | Primary | Secondary | Source |
|---|
| Oversight of third-party risk-management process | CFO | CISO | Roles & Responsibilities |
| Review vendor service contracts | CFO | General Counsel | Roles & Responsibilities |
| Approve vendor before contract signature (after diligence) | CISO + CFO | General Counsel | Vendor Risk Assessment |
| Vendor tiering & diligence | CISO | Vendor Owner | Vendor Risk Assessment |
| Annual re-review of high-tier vendors | CISO | Vendor Owner | Vendor Risk Assessment |
Incident response
| Responsibility | Primary | Secondary | Source |
|---|
| Primary decision-maker during the response period | Incident Manager | CISO | Incident Response |
| Severity assignment (P0/P1/P2/P3) | Security On-call | Incident Manager | Incident Response |
| P0 escalation to executive team | Security On-call | CISO + CTO | Incident Response |
| Communication during the response period | Incident Manager | CISO | Incident Response |
| IRT membership (engineers actively responding) | Engineering On-call | Engineering Lead | Incident Response |
| Root-cause analysis on verified P0 | Incident Manager | CISO | Incident Response |
| Decide whether to call a post-mortem meeting | CISO | CTO | Incident Response |
| Internal-actor incident — direct line to CEO | Incident Manager | CISO | Incident Response |
| Annual IR-plan test | CISO | Engineering Lead | Incident Response |
| Customer / regulator notification (post-determination) | General Counsel + CEO | Executive Team | Incident Response |
| Mitigation & remediation direction | Executive Team + General Counsel | CISO | Incident Response |
Approval-authority matrix
What kinds of decisions require which role’s approval. If a decision isn’t listed, default to the policy owner of the relevant policy plus the CISO for any security-relevant change.
| Decision | Approver(s) | Source |
|---|
| Policy exception (any policy) | CISO | Every policy’s Exceptions section |
| Risk acceptance — any | CEO | Risk Management |
| Risk acceptance — High (15–25 on the 5×5) | CISO + CEO | Risk Management |
| Production access (privileged) | System Owner + CISO | Access Control |
| Customer data in non-production environments | CTO + CISO | Secure Development |
| Material change to a policy | Policy owner + CISO | Information Security |
| Material change to standard access bundles | CISO | Access Management |
| Vendor with Confidential data access | CISO + CFO | Vendor Risk Assessment |
| Transfer of confidential data outside the company | Data Owner (in writing) | Data Management |
| Distribution of Restricted data outside the company | Data Owner + executed contract | Data Management |
| Breach-reporting determination | CEO + General Counsel | Incident Response |
| External breach notice (final written approval) | General Counsel | Incident Response |
| DPIA sign-off | General Counsel (acting as DPO) | DPIA |
| Termination access-revocation override (extend retention beyond 24 business hours) | CISO | Offboarding |
| Hosting-provider outage response | CTO (with CISO and Executive Team) | Business Continuity |
| Disclosure of incident details to a third party | General Counsel or Executive Team | Incident Response |
| Capital expenditure for security/privacy program | Executive Team | Roles & Responsibilities |
| Acquisition of new vendor / cloud service | CISO + CFO | Third-Party Management |
Cross-policy alias map
The policy library uses several legacy / regulatory labels that are not separate roles. Use this table to interpret them.
| Label in policy text | Resolves to | Notes |
|---|
| IT Manager | CISO | Used in Business Continuity and Incident Response. Splits when a dedicated IT lead is hired. |
| Compliance Manager | CISO | Will become a dedicated role at scale. |
| Privacy Officer | General Counsel | Required by GDPR and several US privacy laws. Will become a dedicated role at scale. |
| DPO / Data Protection Officer | General Counsel | Required for some GDPR processing. Independence requirement may force a split for large-scale processing. |
| Incident Manager | Default = CISO; on-call IRT lead acts when CISO unavailable | Per-incident assignment, not a permanent role |
| System Owner | The accountable engineering owner per the Vanta asset inventory | — |
| Data Owner | See Data-owner assignments | — |
| Function lead | CEO / CTO / CISO / CFO / General Counsel / CHRO | Used in Business Continuity; generic for “the executive who runs the function”. |
| Executive Team | CEO + CTO + CISO + CFO + General Counsel + CHRO | Replaces “Executive Management / Staff / Leadership” wherever it appears. |
| Legal counsel | General Counsel (and outside counsel where engaged) | — |
| Customer Success / CSM | CTO (until a Customer Success function is hired) | Used in Customer Communications, Open-Source & SBOM, AI Acceptable Use, Data Subject Rights. Splits when CS is staffed. |
| Sales / Revenue | CEO (until a commercial lead is hired) | Used in AI Acceptable Use, Records Retention Schedule. Splits when commercial lead is hired. |
| Marketing | Hanna Gillas (Marketing lead); CEO as exec sponsor | Used in Records Retention Schedule. |
| People Operations / People Ops | CHRO | Letter signature blocks and procedural references in Adverse Action Letter, Background Checks. |
| Manager | An employee’s direct supervisor | Per HRIS |
| Hiring Manager | The person who opened the requisition | Per req |
| Risk Owner | The exec accountable for a specific entry in the risk register | Per risk |
| Vendor Owner | The employee who sponsors a vendor relationship | Per vendor |
How this page is maintained
- Same-PR rule. Any PR that adds, removes, or shifts a role-level responsibility must update the corresponding row in the Responsibility matrix or Approval-authority matrix. PR review verifies this.
- Personnel changes. When a named individual changes role (hire, promotion, departure), the Personnel directory is updated within 5 business days.
- Annual review. This page is reviewed end-to-end at least annually as part of the policy review cycle, and after any material organizational change.
- Owner. This page is owned by the CISO; the CHRO co-owns the personnel directory.
- Distinct from the policy. This page does not replace the Information Security Roles & Responsibilities Policy — that policy describes the principle and the high-level role definitions; this page is the operational truth-of-record.
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
