Information Security Policy

​

Overview

This Information Security Policy protects Neuroscale’s employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/intranet/extranet-related systems — including computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, and file transfers — are the property of Neuroscale and are to be used for business purposes in serving the interests of the company, our customers, and our partners. Effective security is a team effort involving the participation and support of every Neuroscale employee or contractor who deals with information and information systems. It is the responsibility of every team member to read and understand this policy and conduct their activities accordingly.

​

Purpose

To communicate Neuroscale’s information security policies and outline acceptable use and protection of Neuroscale’s information and assets. These rules protect customers, employees, and the company. Inappropriate use exposes Neuroscale to risks including malware, compromise of network systems and services, financial and reputational harm, and legal and compliance issues. The “Neuroscale Information Security Policy” is comprised of this policy and all Neuroscale policies referenced and/or linked within this document.

​

Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct Neuroscale business or interact with internal networks and business systems — whether owned or leased by Neuroscale, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Neuroscale and its subsidiaries are responsible for exercising good judgment regarding appropriate use, in accordance with Neuroscale policies and applicable laws and regulations. This policy applies to all Neuroscale-controlled company and customer data as well as all equipment, systems, networks, and software owned or leased by Neuroscale.

​

Security incident reporting

All users are required to report known or suspected security events or incidents — including policy violations and observed security weaknesses — immediately or as soon as possible by emailing security@neuroscale.ai. Describe the incident or observation along with any relevant details. See the Incident Response Policy for what happens next.

​

Whistleblower / anonymous fraud reporting

Our Whistleblower Policy encourages employees and others to raise serious concerns internally so we can address inappropriate conduct. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law. It is contrary to our values for anyone to retaliate against a person who in good faith reports an ethics violation, suspected violation of law, complaint of discrimination, suspected fraud, or suspected violation of any regulation. Retaliation may result in discipline up to and including termination of employment. Anonymous reports may be submitted through the Anonymous Reporting channel.

​

Device policy — company-owned and BYOD

All end-user devices (mobile phones, tablets, laptops, desktops) used to access Neuroscale information, systems, or networks must comply with this policy. Use extreme caution when opening email attachments from unknown senders. System- and user-level passwords must comply with the Access Control Policy. Providing access to another individual — deliberately or by failure to secure a device — is prohibited. Neuroscale operates two device categories:

• Company-owned (managed). Laptops and mobile devices issued to staff. Enrolled in Rippling MDM + EDR. Default for all roles. Required for any access to Confidential data or production systems.
• BYOD (Bring-Your-Own-Device). A personally owned device used for a limited set of low-risk activities — primarily email, calendar, Slack, and approved SaaS web-app access from a browser. BYOD is permitted only under the conditions below; otherwise, prohibited.

​

BYOD conditions

A personal device may access Neuroscale resources only if all of the following are satisfied:

• No Confidential data at rest. Confidential data (as defined in the Data Management Policy) — including customer data, source code, secrets, and PII — must not be downloaded, cached, or stored on a BYOD device. Browser-based access to SaaS apps is permitted; native sync clients that mirror Confidential data locally are not.
• No production access. BYOD devices must not be used to access production infrastructure (AWS console, kubectl, SSH to production hosts, production databases). Production access requires a Neuroscale-managed device.
• MDM/MAM enrollment where required. Mobile devices used for Microsoft 365 mail/calendar must be enrolled in Rippling for Mobile Application Management (MAM) so that Neuroscale can selectively wipe Neuroscale data if the device is lost or the user offboards. Laptops accessing anything beyond browser-based SaaS must be enrolled in full Rippling MDM as a company-managed device.
• Baseline hygiene. Operating system supported by the vendor and current on security patches; full-disk encryption enabled; screen lock with password or biometric; reputable anti-malware (built-in OS protections satisfy this for macOS and Windows).
• No shared use. The device must not be shared with another person while Neuroscale data is accessible.

​

Device controls (all categories)

• Devices must be locked with a password or biometric screensaver / screen lock after 5 minutes of non-use.
• Devices must be locked whenever left unattended.
• Suspected misuse or theft of a device must be reported to helpdesk@neuroscale.ai immediately. See Lost or stolen device.
• Confidential information must not be stored on mobile devices or USB drives (business contact information — names, phone numbers, email addresses — is permitted).
• Devices used to access company resources must not be shared with another person.
• Upon termination, users return all company-owned devices and confirm deletion of all Neuroscale data and accounts from any BYOD device. The CHRO and IT verify deletion via the Offboarding procedure; selective MAM wipe is initiated for BYOD mobile devices.

​

Privacy on BYOD

Where a personal device is enrolled in Rippling MAM for BYOD, Neuroscale’s view of the device is limited to the Neuroscale-managed app container and metadata (app inventory of managed apps, OS version, compliance state). Neuroscale does not access personal applications, photos, browsing history, or call/SMS metadata on BYOD devices. See the Employee Privacy Policy.

​

Clear screen, clear desk

Neuroscale operates a clear-screen and clear-desk standard for all working environments — the office, home offices, and any temporary workspace.

• Clear screen. Workstations and laptops lock automatically after 5 minutes of inactivity (Rippling-enforced policy on managed devices) and users must lock the screen manually whenever stepping away. Confidential or Restricted information must not be displayed where it can be observed by unauthorized persons (e.g., in public spaces, on commuter rail, or during video calls without a privacy filter).
• Clear desk. Confidential or Restricted printed materials are not left unattended on desks, in printers, or in shared workspaces; they are stored in a locked drawer or destroyed via approved cross-cut shredding when no longer needed (see Records Disposal). Whiteboards used for design or planning sessions are wiped at the end of the session if the content includes Confidential information.
• Visitor and meeting rooms. Conference rooms are cleared of papers and whiteboard content after each meeting where Confidential information was discussed. Visitors must not be left unattended in workspaces where Confidential materials could be observed.
• Shared printers and scanners. Print-release authentication is enabled where available; users are responsible for collecting their own output and reporting any mis-printed Confidential material to the CISO.

​

Remote working and access

Remote working covers any situation where personnel operate from outside an office. Laptops and other devices used to access Neuroscale resources must conform to the following:

• Antivirus / endpoint-protection software must be enabled, configured to detect and quarantine malware, perform periodic scans, and have automatic updates enabled. Neuroscale-managed devices use Rippling.
• Cloudflare One is the standard VPN and Zero Trust access layer for all Neuroscale staff. The Cloudflare WARP client must be enabled on Neuroscale-managed laptops and on any BYOD device used to reach Neuroscale resources. Cloudflare Access enforces identity- and device-posture-based authorization in front of internal applications and SaaS resources; Cloudflare Gateway provides DNS/HTTP filtering and the corporate egress path. Connect through Cloudflare One whenever working away from a Neuroscale-managed network and at all times when transmitting Confidential information over an untrusted network (public Wi-Fi, hotel networks, etc.).
• Tailscale is a restricted-use network tool for production-infrastructure management — used by Engineering On-call, System Owners, and other engineers with documented production access to reach AWS bastions, internal admin endpoints, and similar infrastructure. Tailscale is not a general-purpose employee VPN and must not be used as a substitute for Cloudflare One for routine work. Tailscale enrollment is gated by membership in the production-access group reviewed each quarter under the Access Control Policy.
• When working from a home network, change default Wi-Fi name, password, and admin credentials.
• Do not connect to outside networks without an enabled, up-to-date software firewall on your device.
• Do not change or disable company security controls (firewall, antivirus, etc.).
• Use only the company-provided remote-access software, configured for MFA.
• Do not install unauthorized remote-access technologies on Neuroscale systems.
• If you must access Neuroscale resources from a public computer, log out, do not save anything, do not check “remember me”, collect printed materials, and do not download files.

​

Acceptable use

Neuroscale proprietary and customer information stored on devices — whether owned or leased by Neuroscale, the employee, or a third party — remains the property of Neuroscale. You must protect proprietary information per the Data Management Policy. Use of Microsoft SharePoint is required for business file storage on laptops and company-issued devices. Promptly report theft, loss, or unauthorized disclosure of Neuroscale proprietary information or equipment. Access, use, or share Neuroscale proprietary information only to the extent authorized and necessary for your assigned duties. Personal use of company devices must be reasonable. For security and network-maintenance purposes, authorized individuals may monitor equipment, systems, and network traffic at any time. Neuroscale reserves the right to audit networks and systems on a periodic basis.

​

Unacceptable use

The following activities are prohibited. Employees may be exempted only with documented management approval. No employee is authorized to engage in any activity that is illegal under local, state, federal, or international law while using Neuroscale-owned resources or representing Neuroscale.

• Violations of intellectual-property rights — copyright, trade secret, patent — including installation or distribution of pirated software.
• Unauthorized copying of copyrighted material.
• Accessing data, a server, or an account for any purpose other than conducting Neuroscale business.
• Exporting software, technical information, encryption software, or technology in violation of export-control laws.
• Introducing malicious programs (viruses, worms, trojans, email bombs).
• Revealing your account password to others or allowing use of your account by others, including family members.
• Using a Neuroscale asset to procure or transmit material that violates harassment or hostile-workplace laws.
• Making fraudulent offers of products or services from a Neuroscale account.
• Making warranty statements unless part of normal job duties.
• Effecting security breaches or disruptions of network communication, including network sniffing, ping floods, packet spoofing, denial-of-service, and forged routing information.
• Port scanning or security scanning unless prior notification has been made to the engineering team.
• Network monitoring that intercepts data not intended for your host (unless that’s your job).
• Circumventing user authentication or security of any host, network, or account.
• Introducing honeypots, honeynets, or similar technology on the Neuroscale network.
• Interfering with or denying service to other users.
• Providing lists of Neuroscale employees, contractors, partners, or customers to outside parties without authorization.

​

Email and communications

When using company resources to access the internet, you represent the company. The following are strictly prohibited:

• Sending unsolicited email (spam) or other advertising material.
• Harassment via email, telephone, or messaging.
• Forging email-header information.
• Soliciting email for any other email address with intent to harass.
• Chain letters, Ponzi, or pyramid schemes.
• Unsolicited email originating from Neuroscale networks advertising any service hosted by or connected via Neuroscale.

​

Related policies

Personnel are responsible for reading and complying with all policies relevant to their role.

​

Compliance

Neuroscale will measure and verify compliance through ongoing monitoring and both internal and external audits.

​

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

​

Violations & enforcement

Report known violations to the CISO. Violations can result in immediate withdrawal or suspension of system and network privileges, and disciplinary action up to and including termination of employment.

​

Version history