Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.

Scope

All Neuroscale employees, consultants, contractors, and other third-party entities with access to Neuroscale production networks and system resources.

Screening

Background-verification checks on Neuroscale personnel are carried out in accordance with relevant laws and regulations and are proportional to business requirements, the classification of the information accessed, and the perceived risks. Background screening includes criminal-history checks unless prohibited by local statute. All third parties with technical, privileged, or administrative access to Neuroscale production systems or networks are subject to a background check or required to provide evidence of an acceptable background, based on access level and risk. Background checks are run by Checkr as part of onboarding. The full process — disclosure, authorization, dispute, and adverse-action handling — is documented in the Background Checks procedure. Standard forms: Background-Check Consent Template and Adverse-Action Letter Template.

Statutory framework

Neuroscale’s background-check program is designed to comply with:
  • The Fair Credit Reporting Act (FCRA), 15 U.S.C. §§1681 et seq., including the standalone written disclosure requirement (§1681b(b)(2)(A)), express written authorization, the Summary of Your Rights Under the FCRA delivery obligation (§1681g(c)), and the two-step pre-adverse-action and adverse-action notice procedure (§1681b(b)(3)).
  • State consumer-reporting analogues including the California Investigative Consumer Reporting Agencies Act (ICRAA) (Cal. Civ. Code §§1786 et seq.), the California Consumer Credit Reporting Agencies Act (CCRAA) (Cal. Civ. Code §§1785.1 et seq.), the New York Fair Credit Reporting Act (N.Y. Gen. Bus. Law §380), the Massachusetts Fair Credit Reporting Act (Mass. Gen. Laws ch. 93 §§50–68), and equivalents.
  • “Ban-the-box” / fair-chance hiring statutes and ordinances that delay or restrict criminal-history inquiries until after a conditional offer, and that require an individualized assessment before adverse action — including the California Fair Chance Act (Cal. Gov’t Code §12952), the New York City Fair Chance Act (N.Y.C. Admin. Code §8-107(11-a)), the Illinois Job Opportunities for Qualified Applicants Act (820 ILCS 75), the Massachusetts CORI law (Mass. Gen. Laws ch. 6 §§167–178B and ch. 151B §4(9½)), the Connecticut Clean Slate and “ban-the-box” statutes (Conn. Gen. Stat. §§31-51i, 46a-80), the Colorado Chance to Compete Act (Colo. Rev. Stat. §8-2-130), and equivalents in Washington, Oregon, Maryland, New Jersey, Pennsylvania, Philadelphia, Los Angeles, San Francisco, Seattle, and other jurisdictions.
  • Equal-opportunity statutes, including the EEOC’s 2012 enforcement guidance on the consideration of arrest and conviction records (Title VII), the Age Discrimination in Employment Act, the Americans with Disabilities Act, GINA, and analogous state law.
  • State salary-history restrictions where applicable.
Operational implementation — including the FCRA stand-alone disclosure form, authorization, summary-of-rights delivery, the pre-adverse-action holding period (typically at least five business days), the §1681b(b)(3) adverse-action notice with copy of the consumer report and summary of rights, individualized assessment for criminal-history matters, and jurisdiction-specific timing rules — is documented in the Background Checks procedure. The Background Checks procedure is reviewed annually by the General Counsel and CHRO against changes in federal, state, and local law.

Competence & performance assessment

Skills and competence of employees and contractors are assessed by CHRO and the hiring manager (or designees) as part of the hiring process. Required skills and competencies are listed in job descriptions and aligned with responsibilities outlined in the Roles & Responsibilities Policy. All Neuroscale employees undergo an annual performance review including assessment of job performance, competence, adherence to company policies and the Code of Conduct, and achievement of role-specific objectives.

Terms & conditions of employment

Company policies and information-security roles and responsibilities are communicated to employees and third parties at the time of hire or engagement. Employees and contractors are required to formally acknowledge their security responsibilities. Employees and third parties with access to company or customer information sign appropriate non-disclosure, confidentiality, and code-of-conduct agreements.

Management responsibilities

Management is responsible for ensuring information-security policies and procedures are reviewed annually, distributed and available, and that employees and contractors abide by those policies for the duration of their employment or engagement. Management ensures information-security responsibilities are communicated through written job descriptions, policies, or other documented methods that are accurately maintained. Compliance with information-security policies is evaluated as part of the performance review process where applicable. Management considers excessive pressures and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities.

Information security awareness, education & training

All Neuroscale employees and third parties with administrative or privileged technical access complete security-awareness training at the time of hire and annually thereafter. Training is delivered through Vanta. Management monitors training completion. Personnel receive security and data-privacy training appropriate to their role and data-handling responsibilities. To maintain awareness, the company provides security updates and communications through multiple channels (Slack, email, all-hands). Information-security leaders pursue ongoing professional development — trainings, certifications, and industry-group memberships — appropriate to their role.

Annual policy re-acknowledgement

All Neuroscale workforce members re-acknowledge the information-security policy set on at least an annual basis, in addition to the at-hire acknowledgement under Terms & conditions of employment. The re-acknowledgement attests that the workforce member has reviewed and agrees to comply with the current version of: Re-acknowledgement is administered through Vanta on the anniversary of hire (or on each policy version change that materially affects workforce-member obligations). Completion records are retained per the Records Retention Schedule and produced as evidence for SOC 2 (CC1.4 + CC2.2) and ISO 27001 (Clause 7.3 + Annex A.6.3) audits. Non-completion past the assigned grace period escalates to the workforce member’s manager and to the CHRO.

Termination process

Employee and contractor termination and offboarding processes ensure that physical and logical access is promptly revoked per company SLAs, and that all company-issued equipment is returned. See Offboarding procedure. Any security or confidentiality agreements that remain valid after termination are communicated to the employee or contractor at the time of termination.

Disciplinary process

Employees and third parties who violate Neuroscale information-security policies are subject to the company’s progressive disciplinary process, up to and including termination.

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Report violations to the CISO. Violations may result in suspension of system and network privileges and disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani