Policy Owner: CHRO (with General Counsel sign-off)
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

This policy explains what personal information Neuroscale collects, processes, stores, and shares about its workforce; the purposes and legal bases for that processing; how long we keep it; the controls we apply to it; and the rights you have. It is the internal companion to Neuroscale’s external-facing privacy notice and is intended to satisfy notice obligations under applicable U.S. state employee-privacy laws and analogous laws abroad. This policy works alongside the Information Security Policy, the Data Management Policy, the Code of Conduct, and the Human Resources Security Policy.

Scope

This policy applies to:
  • All Neuroscale employees, contractors, interns, and temporary staff (collectively in this policy, “workforce” or “you”), worldwide.
  • Applicants, where stated.
  • Former workforce members, with respect to information retained after offboarding.
The policy covers personal information processed by Neuroscale in the employment context. It does not cover Neuroscale’s processing of customer or end-user data, which is governed separately.

Categories of personal information we collect

CategoryExamples
IdentifiersLegal name, preferred name, employee ID, work email, personal email, phone numbers, home address, government identifiers (SSN/TIN, passport, work-authorization documents).
RecruitingResume, cover letter, interview notes, references, background-check results from Checkr, offer correspondence.
Employment recordJob title, department, manager, hire date, employment status, work location, compensation, equity grants, performance reviews, promotions, disciplinary records.
Payroll & benefitsBank account for direct deposit, tax-withholding information, benefits elections, dependents’ information (where you elect coverage), retirement contributions.
Time & attendanceSchedules, time off, leave records, sick time.
Communications metadataEmail and calendar metadata in Microsoft 365; Slack workspace activity; SharePoint access; document collaboration metadata.
Device & systemsCompany-issued device identifiers, inventory, and endpoint telemetry from Rippling (MDM + EDR); Cloudflare One connection, identity, and device-posture metadata (WARP, Access, Gateway) for general workforce access; Tailscale connection metadata for the restricted set of personnel with production-infrastructure access; authentication and SSO logs from Rippling.
Sensitive categories (where lawful and necessary)Demographic information voluntarily provided for EEO/diversity reporting; medical information (limited to what’s needed to administer leave, accommodations, and benefits); biometric information (see Biometric data).
Physical-access & visit recordsOffice badge logs (where applicable), visitor logs.
Equity & financeCap-table records, RSU/option grants, vesting schedules, secondary-transaction records.
Health & safetyWorkplace-incident reports under the Workplace Violence Prevention Policy and OSHA-mandated records.
We collect personal information from you directly (forms, applications, your devices), from third parties (Checkr for background checks, payroll/benefits providers, references, public sources), and automatically through the systems we operate (Microsoft 365, Rippling, Cloudflare One, Better Stack, etc.).

Why we process this information (purposes)

  • Recruiting, hiring, and onboarding decisions.
  • Administering the employment relationship: pay, benefits, taxes, leave, performance, promotions, training (Vanta LMS), and offboarding.
  • Operating Neuroscale’s information systems and meeting our obligations under the Information Security Policy, including authentication, endpoint protection, vulnerability management, incident detection and response, and access-control reviews.
  • Health, safety, and accommodation.
  • Legal, regulatory, and contractual compliance (tax, immigration, labor, equal-opportunity, audit, e-discovery, response to government requests).
  • Investigations of suspected misconduct or policy violations, in accordance with the Code of Conduct and the Incident Response Plan.
  • Internal analytics aimed at running and improving the business.
Neuroscale relies on the following legal bases, which apply by jurisdiction:
  • Performance of the employment contract. Most processing necessary to pay you, administer benefits, and run the employment relationship.
  • Legal obligation. Tax, immigration, payroll-reporting, OSHA, labor, equal-opportunity, and similar statutory requirements.
  • Legitimate interests. Information-security operations, fraud prevention, business administration, and similar — balanced against your rights and reasonable expectations.
  • Consent. Where consent is the appropriate basis (e.g., voluntary diversity self-identification, certain benefits elections, biometric collection where the law requires consent). Consent can be withdrawn at any time without detriment, except where another legal basis applies.
  • Vital interests / public interest. In limited circumstances such as health and safety emergencies.
As of the effective date of this policy, Neuroscale’s workforce is located in the United States only and the legal-bases analysis above is applied accordingly. If Neuroscale begins to employ or contract staff outside the United States, the General Counsel and CHRO will, before the first non-U.S. hire in that jurisdiction:
  • Document the legal basis for each processing activity under the locally applicable regime (e.g., GDPR Art. 6 / 9 for EU and UK; Switzerland FADP; Brazil LGPD; Canada PIPEDA / provincial law; Australia Privacy Act 1988; equivalents elsewhere). For employment-context legitimate-interest reliance under GDPR Art. 6(1)(f), a written Legitimate Interests Assessment (LIA) is filed and stored in Vanta.
  • Determine whether a local data-protection officer, privacy representative (GDPR Art. 27), or works-council consultation is required, and complete that step before processing begins.
  • Update this policy with the jurisdiction-specific legal-basis and data-subject-rights amendments.
The General Counsel reviews this section annually and on each material expansion of Neuroscale’s workforce footprint.

Monitoring of communications, devices, and network

Neuroscale-issued accounts, devices, networks, and information systems are provided for work. You should have no expectation of privacy in your use of Neuroscale systems, except as required by law. Neuroscale logs and may review activity on those systems for the purposes set out above. Specifically:
  • Email & calendar (Microsoft 365). Metadata is logged. Content is not routinely reviewed but may be reviewed for security investigations, e-discovery, regulatory response, suspected policy violations, or operational continuity needs (e.g., customer continuity during an unplanned absence), with approval per the Information Security Policy → Acceptable Use.
  • Endpoint (Rippling). Company-issued devices report inventory, configuration, and security telemetry. Rippling collects process, network, and file telemetry needed to detect and respond to threats. Personal use of company devices is discouraged; Neuroscale does not differentiate personal content on company devices.
  • BYOD. Personal devices used for Neuroscale work — limited per the Information Security Policy → Device policy — are enrolled in Rippling Mobile Application Management (MAM) for mobile and full Rippling MDM for laptops where required. On BYOD mobile devices, Neuroscale’s view is limited to the Neuroscale-managed app container and basic compliance metadata (managed-app inventory, OS version, compliance state). Neuroscale does not access personal applications, photos, browsing history, location, or call/SMS metadata on BYOD devices. On offboarding or device loss, Neuroscale performs a selective wipe of Neuroscale-managed apps and data only.
  • Network (Cloudflare One). Cloudflare One — covering WARP (VPN), Access (ZTNA), and Gateway (DNS/HTTP filtering) — is the standard network tunnel and access layer for all staff. Connection metadata, identity, device-posture signals, and DNS/HTTP metadata are logged for security and policy enforcement.
  • Production access (Tailscale). Tailscale is restricted to the subset of staff with documented production-infrastructure access (Engineering On-call, System Owners, and similar). Tailscale connection metadata for those users is logged.
  • Email security (Material). Inbound and internal mail flows through Material for phishing and BEC protection; mailbox metadata is processed for that purpose.
  • Source control & build (GitHub + GitHub Actions). Authorship, access, and build metadata are retained for the life of the repository and audit logs.
  • Logging & alerts (Better Stack, CloudWatch). Authentication and system logs are retained for security and operational purposes.
We do not engage in continuous keystroke logging, screen recording, webcam or microphone monitoring, productivity-scoring of individuals, or location tracking off-duty. State-specific notice:
  • California. California’s Consumer Privacy Act, as amended by CPRA, applies in full to employee personal information as of January 1, 2023. This policy, together with our Notice at Collection delivered at hire, satisfies the §1798.100(a)/(b) notice obligations for California-based workforce members. See Sensitive Personal Information below for the categories of SPI Neuroscale collects about its workforce and the §1798.121 right to limit use.
  • New York. Consistent with N.Y. Civ. Rights Law §52-c, written notice of electronic monitoring is provided at hire and posted in a conspicuous place in the workplace. Acknowledgement is captured in Vanta.
  • Connecticut. Consistent with Conn. Gen. Stat. §31-48d, prior written notice of electronic monitoring is provided to staff working in Connecticut and posted in a conspicuous location.
  • Delaware. Consistent with 19 Del. C. §705, prior written notice of monitoring or interception of telephone, email, or internet usage is provided to Delaware-based staff at hire, and a daily login banner is configured on company-issued devices to satisfy the alternative notice option.
  • New Jersey. Where Neuroscale deploys vehicle-tracking devices on employer-provided vehicles, prior written notice is provided per N.J. Stat. Ann. §34:6B-22.
  • Federal wiretap. Routine review of stored communications and metadata for the purposes set out above is conducted under the business-use and consent exceptions to the federal Electronic Communications Privacy Act and the Stored Communications Act (18 U.S.C. §§2510 et seq., 2701 et seq.); contemporaneous interception of the contents of electronic communications is not performed except as authorized by law.
  • Other states. Neuroscale staff in other states are notified of the same monitoring practices through this policy and the at-hire acknowledgement. Where a state subsequently enacts an electronic-monitoring notice statute (e.g., proposed legislation in IL, MA, NJ, RI, WA, or successor amendments to existing statutes), the General Counsel and CHRO update this section and re-deliver the notice as required. Pending such enactments, the highest standard among CA, NY, CT, and DE is applied as the Neuroscale baseline.

CCTV and physical-premises monitoring

The Neuroscale office at 46175 Westlake Dr Ste 300, Sterling, VA 20165 uses closed-circuit video surveillance (CCTV) at common-area entry points and shared spaces. The Sterling office does not use a badge-access system; physical access is controlled by the building’s standard mechanical locks and the Neuroscale-issued keys described in the Physical Security Policy. CCTV signage is posted at each surveilled entry point and in each surveilled common area, consistent with Va. Code §40.1-28.7:5 (employer notice of electronic monitoring) and §18.2-386.1 (anti-voyeurism — no surveillance is placed in restrooms, lactation rooms, or other areas where employees have a reasonable expectation of privacy). CCTV footage is retained for a limited period (default: 30 days) on a write-once-read-many storage configuration, and is accessible only to authorized HR, Security, and Legal personnel for safety, theft, and incident-investigation purposes. Footage is not used for performance management or routine productivity monitoring.

Biometric data

Neuroscale does not require biometric authentication. To the extent you choose to use device-level biometrics — such as Face ID or Touch ID on a company-issued device — those biometric templates are stored locally on your device by the operating system and are not transmitted to or stored by Neuroscale. Neuroscale does not collect, store, or process raw biometric identifiers. If at any point Neuroscale begins to process biometric identifiers (for example, fingerprint-based building access), the following will apply, in addition to obtaining written consent before collection:
  • Illinois. Compliance with the Biometric Information Privacy Act (BIPA, 740 ILCS 14), including a written policy with retention and destruction schedules, written consent, and prohibitions on sale or disclosure.
  • Texas. Compliance with the Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code §503.001).
  • Washington. Compliance with Wash. Rev. Code §19.375 and HB 1493.
  • Other states. New York (N.Y. Lab. Law §201-a; N.Y. Gen. Bus. Law §899-bb), Maryland (HB 1202), Colorado (Colorado Privacy Act sensitive-data provisions, C.R.S. §§6-1-1303 et seq.), Oregon (Or. Rev. Stat. §646A.604 sensitive-data disclosures), and analogous biometric-privacy regimes apply to the extent they reach Neuroscale’s processing. Because Neuroscale does not currently collect or process raw biometric identifiers about its workforce, the operative obligation is (a) to refrain from initiating any biometric collection without a documented written program (consent form, retention schedule, destruction schedule, third-party-disclosure restrictions, BIPA-style attestations) approved by the General Counsel, and (b) to update this section with state-specific compliance requirements before the first such collection. The General Counsel reviews this section annually and on each material change to applicable biometric-privacy law.

Sensitive Personal Information (CPRA §1798.121)

Some categories of workforce personal information meet the CPRA definition of Sensitive Personal Information (SPI) under Cal. Civ. Code §1798.140(ae). Neuroscale collects the following SPI in the employment context:
  • Government identifiers — Social Security number, driver’s license, state ID, passport number, work-authorization documents.
  • Account log-in credentials and authentication factors used to access Neuroscale systems.
  • Precise geolocation, where collected (e.g., from mobile devices used for work).
  • Racial or ethnic origin and citizenship/immigration status — collected for EEO/diversity reporting (voluntary), I-9 work-authorization (mandatory), and export-compliance review.
  • Health information — collected only as needed to administer leave, accommodations, workers’ compensation, and benefits.
  • Biometric information — see Biometric data; Neuroscale does not currently process raw biometric identifiers.

Right to limit use of SPI

California-based workforce members have, subject to statutory exceptions, a right under §1798.121 to direct Neuroscale to limit the use of SPI to purposes “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services,” and to certain enumerated business purposes. In the employment context, Neuroscale uses SPI only for the purposes set out in the Why we process this information section above — administering pay, benefits, taxes, leave, accommodations, equal-opportunity reporting, work-authorization verification, export-compliance review, security operations, and legal compliance — all of which fall within the §1798.121(b) and CCPA Regulations §7027(m) exceptions that permit continued use of SPI without honoring a limit-use request. Neuroscale does not use workforce SPI for inferring characteristics, for advertising, for sale, or for cross-context behavioral advertising. To submit a request to limit, see Data Subject Rights or email privacy@neuroscale.ai. Where Neuroscale denies a request because an exception applies, the response will explain the basis.

Sharing of personal information

Neuroscale shares personal information only as necessary and only with:
  • Service providers acting on our behalf (e.g., Checkr for background checks, payroll and benefits administrators, the LMS, Vanta), under written agreements that limit their use of the data. See the Third-Party Management Policy.
  • Affiliates and successors in interest in the event of a corporate transaction.
  • Legal and regulatory recipients where required (tax authorities, courts, government agencies).
  • Other parties at your direction (e.g., reference requests where you consent).
We do not sell workforce personal information and we do not share it for cross-context behavioral advertising.

Cross-border transfers

Neuroscale is U.S.-headquartered and primarily processes workforce data in the United States, including in AWS and U.S.-region SaaS services. Where workforce members are located outside the U.S., personal information may be transferred to the U.S. or to other jurisdictions where our service providers operate. Neuroscale uses appropriate transfer mechanisms — such as the EU Standard Contractual Clauses, the U.K. International Data Transfer Addendum, and recognized adequacy mechanisms — when required. See Cross-Border Transfers for the operational procedure.

Retention

Personal information is retained only as long as necessary for the purposes described in this policy and in line with statutory retention requirements (tax, employment, OSHA, immigration, etc.). After the applicable retention period, information is deleted or anonymized. The Records Retention Schedule sets the master retention table. Indicative periods:
  • Recruiting records of unsuccessful candidates: typically 2 years.
  • Core HR file (offer letter, agreements, performance reviews): typically employment + 7 years.
  • Payroll and tax records: typically at least 4 years (IRS) or longer where state law requires.
  • I-9 records: 3 years from hire or 1 year from termination, whichever is later (8 C.F.R. §274a.2).
  • Security telemetry (Rippling, Better Stack, CloudWatch): retention as set out in the Data Management Policy.
  • Workplace-violence incident log: at least 5 years (Cal. Lab. Code §6401.9).
The authoritative, GC-approved retention periods for every record category — including HR records, payroll, I-9, telemetry, and incident logs — are tracked in the Records Retention Schedule. The summary above is provided for orientation; where the two differ, the Records Retention Schedule controls.

Your rights

Subject to applicable law, you have rights to:
  • Access the personal information Neuroscale holds about you.
  • Correct inaccurate information.
  • Delete information, subject to legal-retention obligations.
  • Restrict or object to certain processing.
  • Portability — receive a copy of certain information in a machine-readable format.
  • Withdraw consent where consent is the basis for processing.
  • Lodge a complaint with a supervisory authority where applicable (e.g., the California Privacy Protection Agency, an EU data-protection authority).
To exercise a right, see Data Subject Rights for the request procedure, or email privacy@neuroscale.ai. You will not be retaliated against for exercising your rights. Some statutory rights — particularly under the CCPA/CPRA — apply with modifications in the employment context. Where a right is unavailable or limited, Neuroscale will explain why in the response to your request.

Security of workforce data

Workforce data is protected under the same controls described in the Information Security Policy, including:
  • Encryption at rest and in transit using AWS KMS and platform-level encryption.
  • SSO and MFA via Rippling.
  • Role-based access control and quarterly access reviews — see Access Control Policy.
  • Endpoint protection (EDR) and MDM via Rippling.
  • Logging and detection in Better Stack and CloudWatch, with on-call paging via Better Stack.
  • Incident response per the Incident Response Plan.
Access to HRIS data is restricted to CHRO, Finance (for payroll), the employee’s management chain on a need-to-know basis, and Legal/IT for legitimate purposes, all logged.

Investigations

Neuroscale may access workforce data for legitimate investigative purposes — including suspected violations of the Code of Conduct, the Workplace Violence Prevention Policy, the Anti-Bribery & Corruption Policy, the Insider Trading Policy, or the Information Security Policy, and to respond to legal process. Such access is approved per the Information Security Policy → Acceptable Use and logged.

Changes to this policy

Neuroscale reviews this policy annually and may update it as laws, systems, or practices change. Material changes are communicated to the workforce.

Exceptions

Operational exceptions to this policy require written approval of the CHRO and General Counsel.

Violations & enforcement

Violations of this policy by Neuroscale staff may result in disciplinary action up to and including termination. Workforce members who believe their personal information has been mishandled can contact privacy@neuroscale.ai or, if anonymous reporting is preferred, the Anonymous Reporting channel.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani