Data Management Policy

​

Purpose

To ensure that information is classified, protected, retained, and securely disposed of in accordance with its importance to the organization.

​

Scope

All Neuroscale data, information, and information systems.

​

Definitions

This policy uses Personal Information (and the abbreviation PII) as an umbrella term that captures the broadest applicable statutory definition for any given record. Specifically:

• Personal Information / PII (Neuroscale internal term) — any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household, and any information whose handling is regulated by an applicable privacy law. Where two definitions disagree, Neuroscale applies the broadest.
• Personal Data (GDPR / UK GDPR) — any information relating to an identified or identifiable natural person, per Art. 4(1) of Regulation (EU) 2016/679 and the U.K. Data Protection Act 2018.
• Personal Information (CCPA/CPRA) — information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household, per Cal. Civ. Code §1798.140(v).
• Sensitive Personal Information / Sensitive Personal Data — the heightened-protection subsets of the foregoing (CPRA §1798.140(ae); GDPR Art. 9 special-category data; analogous state-law categories).
• Private Information (NY SHIELD Act) — the narrower subset defined in N.Y. Gen. Bus. Law §899-aa(1)(b).
• Personal Information (other state laws) — the analogous term in CO, CT, VA, UT, TX, OR, MT, IA, DE, NJ, NH, MN, MD, RI, IN, TN and other comprehensive state privacy statutes, applied to the extent each statute reaches Neuroscale’s processing.

When this policy or another Neuroscale policy refers to “PII” or “Personal Information” without further qualification, the term carries this umbrella meaning. Specific statutory terms (“Personal Data,” “Sensitive Personal Information,” etc.) are used where a particular legal regime governs. Notably out of scope as currently defined:

• Protected Health Information (PHI) / HIPAA — Neuroscale is not a HIPAA Covered Entity or Business Associate; PHI is not collected, processed, or stored, and Business Associate Agreements are not in scope. If this changes, this policy and the Information Security Policy will be re-scoped before any PHI is accepted.

​

Policy

Neuroscale classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality. Data owners identify any additional requirements for specific data or exceptions to standard handling. Information systems and applications are classified according to the highest classification of data they store or process.

​

Data classification

​

Confidential

Highly sensitive data requiring the highest levels of protection. Access is restricted to specific employees or departments; records can only be passed to others with approval from the data owner or a company executive. Examples:

• Customer data
• Personally Identifiable Information (PII)
• Company financial and banking data
• Salary, compensation, and payroll information
• Strategic plans
• Incident reports
• Risk-assessment reports
• Technical vulnerability reports
• Authentication credentials
• Secrets and private keys
• Source code
• Litigation data

​

Restricted

Neuroscale proprietary information requiring thorough protection. Access is restricted to employees with a “need-to-know” based on business requirements. Distribution outside the company requires approval. This is the default classification unless stated otherwise. Examples:

• Internal policies
• Legal documents
• Meeting minutes and internal presentations
• Contracts
• Internal reports
• Slack messages
• Email

​

Public

Documents intended for public consumption that can be freely distributed outside Neuroscale. Examples:

• Marketing materials
• Product descriptions
• Release notes
• External-facing policies (privacy policy, ToS)

​

Labeling

Confidential data is labeled “Confidential” whenever paper copies are produced for distribution.

​

Data handling

​

Confidential data

• Access for non-preapproved roles requires documented approval from the data owner.
• Restricted to specific employees, roles, or departments.
• Confidential systems do not allow unauthenticated or anonymous access.
• Confidential customer data is not used or stored in non-production systems/environments.
• Encrypted at rest and in transit over public networks per the Cryptography Policy.
• Mobile-device drives storing confidential data are encrypted.
• Devices storing or accessing confidential data are protected by a logon password (or biometric) and locked after 5 minutes of non-use.
• Backups are encrypted.
• Confidential data is not stored on personal phones, devices, or removable media (USB, CD, DVD).
• Paper records are labeled “Confidential” and securely stored and disposed of.
• Hard-copy records are created only based on business need.
• Hard drives and mobile devices used to store confidential information are securely wiped or physically destroyed prior to disposal.
• Transfer of confidential data outside the company is done only under a legal contract and with explicit written permission from management or the data owner.

​

Restricted data

• Restricted to users with a need-to-know.
• Restricted systems do not allow unauthenticated or anonymous access.
• Transfer outside the company or to non-authorized users requires management approval and a legal contract or data-owner permission.
• Paper records are securely stored and disposed of.
• Hard drives and mobile devices used to store restricted information are securely wiped or destroyed prior to disposal.

​

Public data

No special protection or handling controls. Public data may be freely distributed.

​

Data retention

Neuroscale retains data only as long as the company has a need or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods. PII is deleted or de-identified as soon as it no longer has a business use. Retention periods are documented in the Data Retention Matrix.

​

Data & device disposal

Data classified as Restricted or Confidential is securely deleted when no longer needed. Neuroscale assesses the data and disposal practices of third-party vendors per the Third-Party Management Policy. Only third parties meeting Neuroscale requirements for secure data disposal are used for storage and processing of restricted or confidential data. All restricted and confidential data is securely deleted from company devices prior to or at the time of disposal. Confidential and restricted hard-copy materials are shredded or otherwise disposed of using a secure method. PII is collected, used, and retained only as long as we have a legitimate business purpose. PII is securely deleted following contract termination per company policy, contractual commitments, and applicable laws. PII is also deleted in response to a verified request from a consumer or data subject, where the company does not have a legitimate business interest or other legal obligation to retain it.

​

Annual review

Management reviews data-retention requirements during the annual review of this policy. Data is disposed of in accordance with this policy.

​

Legal holds

Under certain circumstances Neuroscale may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by Neuroscale legal counsel. Such records are exempt from any other requirement of this policy and are retained per Legal’s instructions. All holds and special retention requirements are subject to annual review with Neuroscale legal counsel. Active legal holds are tracked in the Legal Holds project in Linear (restricted access).

​

Exceptions

Requests for exceptions must be submitted to the CISO (in consultation with General Counsel for matters with legal implications) for approval.

​

Violations & enforcement

Report violations to the CISO. Violations may result in suspension of system and network privileges and disciplinary action up to and including termination.

​

Appendices

• Data Retention Matrix — retention periods by system.
• Internal retention and disposal procedure — owned by Engineering.

​

Version history