Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Purpose
To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.Scope
All Neuroscale employees, consultants, contractors, and other third-party entities with access to Neuroscale production networks and system resources.Screening
Background-verification checks on Neuroscale personnel are carried out in accordance with relevant laws and regulations and are proportional to business requirements, the classification of the information accessed, and the perceived risks. Background screening includes criminal-history checks unless prohibited by local statute. All third parties with technical, privileged, or administrative access to Neuroscale production systems or networks are subject to a background check or required to provide evidence of an acceptable background, based on access level and risk. Background checks are run by Checkr as part of onboarding. The full process — disclosure, authorization, dispute, and adverse-action handling — is documented in the Background Checks procedure. Standard forms: Background-Check Consent Template and Adverse-Action Letter Template.Background-check gate on production-scope access
Production-scope access — including the GitHubneuroscale organization, AWS Identity Center, Vultr, KMS / secrets-manager consoles, production databases, and any tool that exposes customer data — is not granted until the worker has passed a Checkr screen at T2 (production / Confidential access) tier as defined in Background Checks → Background-check tiers, or until the General Counsel records an individualized-assessment decision under the FCRA / fair-chance procedures in the Background Checks procedure. Onboarding-only access (Microsoft 365 mailbox, Rippling self-service, Vanta training enrollment, this docs site) may be granted before any clearance so that the new hire can complete administrative onboarding; internal-collaboration access (Slack, team SharePoint, Linear read-only) is granted on day 1 if at least a T1 (baseline) clearance is on file and is otherwise held until that clearance returns.
The tier assigned to each role is set by the CISO at the time the requisition is opened. T3 (finance / executive / fiduciary) roles are screened at the same Checkr build as T2 under the current minimum-viable program — the T3 designation is preserved as a fiduciary-tracking label and picks up additional searches only on a customer-contract or regulatory trigger per Background Checks → Optional add-ons.
CHRO records the Checkr return date, tier, and adjudication in Rippling, and IT references that record before provisioning any group membership that confers internal-collaboration or production-scope access. The bucket-to-group mapping is enumerated in the IT provisioning runbook in SharePoint (IT Operations) and operationalized in the Onboarding procedure → Access-grant gate.
Statutory framework
Neuroscale’s background-check program is designed to comply with:- The Fair Credit Reporting Act (FCRA), 15 U.S.C. §§1681 et seq., including the standalone written disclosure requirement (§1681b(b)(2)(A)), express written authorization, the Summary of Your Rights Under the FCRA delivery obligation (§1681g(c)), and the two-step pre-adverse-action and adverse-action notice procedure (§1681b(b)(3)).
- State consumer-reporting analogues including the California Investigative Consumer Reporting Agencies Act (ICRAA) (Cal. Civ. Code §§1786 et seq.), the California Consumer Credit Reporting Agencies Act (CCRAA) (Cal. Civ. Code §§1785.1 et seq.), the New York Fair Credit Reporting Act (N.Y. Gen. Bus. Law §380), the Massachusetts Fair Credit Reporting Act (Mass. Gen. Laws ch. 93 §§50–68), and equivalents.
- “Ban-the-box” / fair-chance hiring statutes and ordinances that delay or restrict criminal-history inquiries until after a conditional offer, and that require an individualized assessment before adverse action — including the California Fair Chance Act (Cal. Gov’t Code §12952), the New York City Fair Chance Act (N.Y.C. Admin. Code §8-107(11-a)), the Illinois Job Opportunities for Qualified Applicants Act (820 ILCS 75), the Massachusetts CORI law (Mass. Gen. Laws ch. 6 §§167–178B and ch. 151B §4(9½)), the Connecticut Clean Slate and “ban-the-box” statutes (Conn. Gen. Stat. §§31-51i, 46a-80), the Colorado Chance to Compete Act (Colo. Rev. Stat. §8-2-130), and equivalents in Washington, Oregon, Maryland, New Jersey, Pennsylvania, Philadelphia, Los Angeles, San Francisco, Seattle, and other jurisdictions.
- Equal-opportunity statutes, including the EEOC’s 2012 enforcement guidance on the consideration of arrest and conviction records (Title VII), the Age Discrimination in Employment Act, the Americans with Disabilities Act, GINA, and analogous state law.
- State salary-history restrictions where applicable.
Competence & performance assessment
Skills and competence of employees and contractors are assessed by CHRO and the hiring manager (or designees) as part of the hiring process. Required skills and competencies are listed in job descriptions and aligned with responsibilities outlined in the Roles & Responsibilities Policy. All Neuroscale employees undergo an annual performance review including assessment of job performance, competence, adherence to company policies and the Code of Conduct, and achievement of role-specific objectives.Terms & conditions of employment
Company policies and information-security roles and responsibilities are communicated to employees and third parties at the time of hire or engagement. Employees and contractors are required to formally acknowledge their security responsibilities. Employees and third parties with access to company or customer information sign appropriate non-disclosure, confidentiality, and code-of-conduct agreements.Management responsibilities
Management is responsible for ensuring information-security policies and procedures are reviewed annually, distributed and available, and that employees and contractors abide by those policies for the duration of their employment or engagement. Management ensures information-security responsibilities are communicated through written job descriptions, policies, or other documented methods that are accurately maintained. Compliance with information-security policies is evaluated as part of the performance review process where applicable. Management considers excessive pressures and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities.Information security awareness, education & training
All Neuroscale employees and third parties with administrative or privileged technical access complete security-awareness training at the time of hire and annually thereafter. Training is delivered through Vanta. Management monitors training completion. Personnel receive security and data-privacy training appropriate to their role and data-handling responsibilities. To maintain awareness, the company provides security updates and communications through multiple channels (Slack, email, all-hands). Information-security leaders pursue ongoing professional development — trainings, certifications, and industry-group memberships — appropriate to their role.AI literacy
Workforce members who deal with the development, operation, deployment, or oversight of Neuroscale AI systems — including the personnel responsible for the candidate sourcing, scoring, and ranking functions that run in production — are given a sufficient level of AI literacy for their role. The depth and content of this training are proportionate to each member’s technical knowledge, experience, and education and to the context in which the systems are used, and cover at a minimum:- the capabilities and limitations of the AI systems the member works with;
- the human-oversight, review, and bias-monitoring responsibilities attached to the member’s role, including the controls in the Employment-AI Bias Audit procedure; and
- expectations for the responsible and ethical development, deployment, and use of AI, per the AI Acceptable Use Policy and the AI Risk Management Policy.
Annual policy re-acknowledgement
All Neuroscale workforce members re-acknowledge the information-security policy set on at least an annual basis, in addition to the at-hire acknowledgement under Terms & conditions of employment. The re-acknowledgement attests that the workforce member has reviewed and agrees to comply with the current version of:- The Information Security Policy
- The Code of Conduct
- The Acceptable Use requirements
- Any role-specific policy applicable to the member (e.g., Insider Trading for Access Persons; Anti-Bribery & Corruption for higher-risk roles).
Termination process
Employee and contractor termination and offboarding processes ensure that physical and logical access is promptly revoked per company SLAs, and that all company-issued equipment is returned. See Offboarding procedure. Any security or confidentiality agreements that remain valid after termination are communicated to the employee or contractor at the time of termination.Disciplinary process
Employees and third parties who violate Neuroscale information-security policies are subject to the company’s progressive disciplinary process, up to and including termination.Exceptions
Requests for exceptions must be submitted to the CISO for approval.Violations & enforcement
Report violations to the CISO. Violations may result in suspension of system and network privileges and disciplinary action up to and including termination.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |