Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.

Scope

All Neuroscale employees, consultants, contractors, and other third-party entities with access to Neuroscale production networks and system resources.

Screening

Background-verification checks on Neuroscale personnel are carried out in accordance with relevant laws and regulations and are proportional to business requirements, the classification of the information accessed, and the perceived risks. Background screening includes criminal-history checks unless prohibited by local statute. All third parties with technical, privileged, or administrative access to Neuroscale production systems or networks are subject to a background check or required to provide evidence of an acceptable background, based on access level and risk. Background checks are run by Checkr as part of onboarding. The full process — disclosure, authorization, dispute, and adverse-action handling — is documented in the Background Checks procedure. Standard forms: Background-Check Consent Template and Adverse-Action Letter Template.

Background-check gate on production-scope access

Production-scope access — including the GitHub neuroscale organization, AWS Identity Center, Vultr, KMS / secrets-manager consoles, production databases, and any tool that exposes customer data — is not granted until the worker has passed a Checkr screen at T2 (production / Confidential access) tier as defined in Background Checks → Background-check tiers, or until the General Counsel records an individualized-assessment decision under the FCRA / fair-chance procedures in the Background Checks procedure. Onboarding-only access (Microsoft 365 mailbox, Rippling self-service, Vanta training enrollment, this docs site) may be granted before any clearance so that the new hire can complete administrative onboarding; internal-collaboration access (Slack, team SharePoint, Linear read-only) is granted on day 1 if at least a T1 (baseline) clearance is on file and is otherwise held until that clearance returns. The tier assigned to each role is set by the CISO at the time the requisition is opened. T3 (finance / executive / fiduciary) roles are screened at the same Checkr build as T2 under the current minimum-viable program — the T3 designation is preserved as a fiduciary-tracking label and picks up additional searches only on a customer-contract or regulatory trigger per Background Checks → Optional add-ons. CHRO records the Checkr return date, tier, and adjudication in Rippling, and IT references that record before provisioning any group membership that confers internal-collaboration or production-scope access. The bucket-to-group mapping is enumerated in the IT provisioning runbook in SharePoint (IT Operations) and operationalized in the Onboarding procedure → Access-grant gate.

Statutory framework

Neuroscale’s background-check program is designed to comply with:
  • The Fair Credit Reporting Act (FCRA), 15 U.S.C. §§1681 et seq., including the standalone written disclosure requirement (§1681b(b)(2)(A)), express written authorization, the Summary of Your Rights Under the FCRA delivery obligation (§1681g(c)), and the two-step pre-adverse-action and adverse-action notice procedure (§1681b(b)(3)).
  • State consumer-reporting analogues including the California Investigative Consumer Reporting Agencies Act (ICRAA) (Cal. Civ. Code §§1786 et seq.), the California Consumer Credit Reporting Agencies Act (CCRAA) (Cal. Civ. Code §§1785.1 et seq.), the New York Fair Credit Reporting Act (N.Y. Gen. Bus. Law §380), the Massachusetts Fair Credit Reporting Act (Mass. Gen. Laws ch. 93 §§50–68), and equivalents.
  • “Ban-the-box” / fair-chance hiring statutes and ordinances that delay or restrict criminal-history inquiries until after a conditional offer, and that require an individualized assessment before adverse action — including the California Fair Chance Act (Cal. Gov’t Code §12952), the New York City Fair Chance Act (N.Y.C. Admin. Code §8-107(11-a)), the Illinois Job Opportunities for Qualified Applicants Act (820 ILCS 75), the Massachusetts CORI law (Mass. Gen. Laws ch. 6 §§167–178B and ch. 151B §4(9½)), the Connecticut Clean Slate and “ban-the-box” statutes (Conn. Gen. Stat. §§31-51i, 46a-80), the Colorado Chance to Compete Act (Colo. Rev. Stat. §8-2-130), and equivalents in Washington, Oregon, Maryland, New Jersey, Pennsylvania, Philadelphia, Los Angeles, San Francisco, Seattle, and other jurisdictions.
  • Equal-opportunity statutes, including the EEOC’s 2012 enforcement guidance on the consideration of arrest and conviction records (Title VII), the Age Discrimination in Employment Act, the Americans with Disabilities Act, GINA, and analogous state law.
  • State salary-history restrictions where applicable.
Operational implementation — including the FCRA stand-alone disclosure form, authorization, summary-of-rights delivery, the pre-adverse-action holding period (typically at least five business days), the §1681b(b)(3) adverse-action notice with copy of the consumer report and summary of rights, individualized assessment for criminal-history matters, and jurisdiction-specific timing rules — is documented in the Background Checks procedure. The Background Checks procedure is reviewed annually by the General Counsel and CHRO against changes in federal, state, and local law.

Competence & performance assessment

Skills and competence of employees and contractors are assessed by CHRO and the hiring manager (or designees) as part of the hiring process. Required skills and competencies are listed in job descriptions and aligned with responsibilities outlined in the Roles & Responsibilities Policy. All Neuroscale employees undergo an annual performance review including assessment of job performance, competence, adherence to company policies and the Code of Conduct, and achievement of role-specific objectives.

Terms & conditions of employment

Company policies and information-security roles and responsibilities are communicated to employees and third parties at the time of hire or engagement. Employees and contractors are required to formally acknowledge their security responsibilities. Employees and third parties with access to company or customer information sign appropriate non-disclosure, confidentiality, and code-of-conduct agreements.

Management responsibilities

Management is responsible for ensuring information-security policies and procedures are reviewed annually, distributed and available, and that employees and contractors abide by those policies for the duration of their employment or engagement. Management ensures information-security responsibilities are communicated through written job descriptions, policies, or other documented methods that are accurately maintained. Compliance with information-security policies is evaluated as part of the performance review process where applicable. Management considers excessive pressures and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities.

Information security awareness, education & training

All Neuroscale employees and third parties with administrative or privileged technical access complete security-awareness training at the time of hire and annually thereafter. Training is delivered through Vanta. Management monitors training completion. Personnel receive security and data-privacy training appropriate to their role and data-handling responsibilities. To maintain awareness, the company provides security updates and communications through multiple channels (Slack, email, all-hands). Information-security leaders pursue ongoing professional development — trainings, certifications, and industry-group memberships — appropriate to their role.

AI literacy

Workforce members who deal with the development, operation, deployment, or oversight of Neuroscale AI systems — including the personnel responsible for the candidate sourcing, scoring, and ranking functions that run in production — are given a sufficient level of AI literacy for their role. The depth and content of this training are proportionate to each member’s technical knowledge, experience, and education and to the context in which the systems are used, and cover at a minimum: AI-literacy training is assigned when a worker takes on an AI-related responsibility and is refreshed at least annually alongside the security-awareness cycle. Completion is monitored together with the security-awareness training above and operationalized through the role-specific modules in the Security Awareness Training procedure.

Annual policy re-acknowledgement

All Neuroscale workforce members re-acknowledge the information-security policy set on at least an annual basis, in addition to the at-hire acknowledgement under Terms & conditions of employment. The re-acknowledgement attests that the workforce member has reviewed and agrees to comply with the current version of: Re-acknowledgement is administered through Vanta on the anniversary of hire (or on each policy version change that materially affects workforce-member obligations). Completion records are retained per the Records Retention Schedule and produced as evidence for SOC 2 (CC1.4 + CC2.2) and ISO 27001 (Clause 7.3 + Annex A.6.3) audits. Non-completion within the 30-calendar-day grace period (measured from the re-acknowledgement assignment date — the hire anniversary or the date a materially-changed policy version is published) escalates to the workforce member’s manager and to the CHRO.

Termination process

Employee and contractor termination and offboarding processes ensure that physical and logical access is promptly revoked per company SLAs, and that all company-issued equipment is returned. See Offboarding procedure. Any security or confidentiality agreements that remain valid after termination are communicated to the employee or contractor at the time of termination.

Disciplinary process

Employees and third parties who violate Neuroscale information-security policies are subject to the company’s progressive disciplinary process, up to and including termination.

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Report violations to the CISO. Violations may result in suspension of system and network privileges and disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani