Policy Owner: General Counsel
Co-signers: CTO, CISO
Effective Date: May 10, 2026
Reviewed: Annually
Next Review: May 10, 2027

Purpose

Establish the operational rules and the Customer / Neuroscale responsibility allocation for all outbound communications to Candidates through the Arbi recruiting platform. Telephone, SMS, email, voice, and AI-agent in-app channels are within scope; internal workforce communications are not.

Scope

All Customer-initiated and Neuroscale-AI-agent-initiated outbound communications to Candidates via email, SMS, voice (autodialed or pre-recorded), and in-app or chatbot messaging. The principal legal regimes governing outbound communications under this policy are:
  • U.S. — Telephone Consumer Protection Act (TCPA), 47 U.S.C. §227, and FCC implementing rules, including (i) the 2024 1:1-consent rule at 47 C.F.R. §64.1200(a)(10) (recordkeeping for prior express written consent on a per-seller basis), and (ii) the FCC’s February 8, 2024 Declaratory Ruling (FCC 24-17) confirming that the TCPA’s prohibition at §227(b)(1) on using an “artificial or prerecorded voice” to make robocalls or robotexts without prior express consent reaches AI voice-cloning and AI-generated voice regardless of source product — including, where the use case applies, voice content generated by Neuroscale’s Aurora feature delivered through Customer’s voice or SMS channels. Aurora-generated content delivered by Customer is governed by AI Acceptable Use → Synthetic media of persons and Terms of Service §8.9; this policy governs Arbi-platform outbound communications.
  • U.S. — CAN-SPAM Act, 15 U.S.C. §§7701–7713; 16 C.F.R. Part 316.
  • State mini-TCPAs, including Florida F.S. §501.059; Washington RCW 19.190; Oklahoma 15 OS §775D.1; Maryland Md. Code Com. Law §14-3201.
  • U.S. — California SB 1001 (Bot Disclosure), Cal. Bus. & Prof. Code §§17940–17943.
  • EU AI Act Art. 50 — AI-system-interaction transparency.
  • Utah AI Policy Act, Utah Code §§13-72-101 et seq. — generative-AI disclosure.
  • Canada — CASL (Canadian Anti-Spam Law), S.C. 2010, c. 23, §6.
  • UK — PECR Reg. 22 (Privacy and Electronic Communications (EC Directive) Regulations 2003).
  • EU — ePrivacy Directive, Directive 2002/58/EC, Art. 13(2).
  • GDPR / UK GDPR, Arts. 6 (lawful basis), 13 / 14 (transparency), 21 (right to object including direct marketing).

Allocation of responsibility

The Customer is the deployer of outbound communications and is responsible for the substantive consent-and-content obligations. Neuroscale is the developer / operator of the platform and is responsible for the platform-level controls that enable the Customer to discharge those obligations.

Customer (deployer) responsibilities

The Customer represents and warrants, before causing any outbound communication to be sent through the Service:
  1. TCPA prior express written consent. The Customer has obtained, and can produce on request, prior express written consent for any SMS message or autodialed / pre-recorded voice call to a mobile or residential telephone number, including the per-seller consent record required by the FCC’s 2024 1:1 consent rule.
  2. State mini-TCPA compliance. Customer observes quiet-hours and any state-specific timing, identification, or consent rules.
  3. CAN-SPAM compliance for email. Every commercial email contains a functioning unsubscribe mechanism, a valid postal address, accurate sender identification, and a non-misleading subject line.
  4. CASL §6. For Canadian recipients, Customer has obtained express or implied consent satisfying CASL §6 and observes the unsubscribe and identification rules.
  5. PECR / ePrivacy. For UK and EEA recipients, Customer has obtained consent satisfying PECR Reg. 22 and ePrivacy Directive Art. 13(2). The soft-opt-in does not apply to Candidate recruiting outreach.
  6. Suppression-list honoring. Customer respects (a) the Neuroscale global suppression list (Candidate-direct opt-outs); (b) the Customer’s per-workspace suppression list; and (c) any third-party Do Not Call lists applicable to Customer’s jurisdiction.
  7. Revocation handling within 10 business days. Customer processes opt-outs within 10 business days of receipt; SMS STOP keywords are honored within 60 seconds (this control is operated by Neuroscale at the platform level, but Customer must not override).
  8. Per-seller consent recordkeeping. Customer maintains consent records sufficient to demonstrate compliance with the FCC 1:1 consent rule for the period required by FCC rules (currently 4 years; verify before each engagement).
  9. AEDT and AI-deployer notices. Where outbound communications are part of an AEDT workflow (e.g., NYC LL 144 candidate notice; Colorado AI Act deployer disclosure), Customer delivers the underlying notice in accordance with the AEDT Candidate Notice template and analogous templates.

Neuroscale (developer / operator) responsibilities

Neuroscale operates the platform controls that make Customer compliance feasible:
  1. Functioning unsubscribe link in every email message rendered through the platform.
  2. STOP / UNSUBSCRIBE / QUIT keyword honoring on SMS within 60 seconds, with platform-level confirmation that no further messages from the same Customer go out for the rest of the sequence.
  3. AI-agent disclosure at session start per California SB 1001, EU AI Act Art. 50, and Utah AI Policy Act §13-72-201, using the AI Interaction Disclosure template. The disclosure is repeated when the channel switches (e.g., email → SMS) within the same conversation.
  4. Global Neuroscale suppression list, accessible to Candidates at privacy@neuroscale.ai with the subject line “Global Outreach Suppression” or “Sourcing Database — Removal.” Suppression applies across all Customers using the platform.
  5. Per-Customer workspace suppression list, populated by Candidate-side opt-outs received by that Customer.
  6. Sender-ID authentication for email — SPF, DKIM, DMARC alignment; sender-ID verification for SMS (10DLC or short code as appropriate).
  7. FCC 1:1 consent recordkeeping infrastructure, with per-Customer evidence retention; consent records made available to Customer on request and retained per the Records Retention Schedule.
  8. Anomaly monitoring. Complaint rate, bounce rate, and STOP rate are monitored 24×7; sequences exceeding thresholds are throttled and the relevant Customer is alerted.
  9. Audit-log access for Customer recordkeeping.

Channel-specific rules

Email

  • CAN-SPAM compliant footer with valid postal address (NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165 — or Customer’s postal address per the executed Order Form).
  • One-click unsubscribe (RFC 8058 List-Unsubscribe-Post header) for ESP-routed mail.
  • Accurate From, Reply-To, and subject line.
  • DKIM-signed and SPF-aligned; DMARC alignment at p=quarantine or p=reject for outbound domains.

SMS

  • TCPA prior express written consent required before any commercial SMS, including each individual seller per the 2024 1:1 consent rule.
  • HELP / STOP / UNSUBSCRIBE / QUIT / END / CANCEL keywords honored; STOP-confirmation message sent and no further messages dispatched.
  • Quiet-hours observed: no SMS between 8:00 PM and 8:00 AM in the recipient’s local time, subject to state-specific stricter rules (Florida 8 AM – 8 PM; Washington 8 AM – 9 PM; consult the per-state matrix).
  • 10DLC registration for application-to-person traffic in the US, where applicable.

Voice (autodialed / pre-recorded)

  • TCPA prior express written consent required before any pre-recorded or autodialed call to a mobile or residential number.
  • DNC (Do Not Call) registry checked against the dialing list before each campaign.
  • Caller ID accurately identifies the originator.
  • Recording disclosure played at call start where required by state law.

AI-agent in-app / chatbot

  • SB 1001 / EU AI Act Art. 50 / Utah AI Policy Act §13-72-201 disclosure at session start using the AI Interaction Disclosure template.
  • Persistent on-surface labeling indicating the chat partner is AI.
  • “Type ‘human’ to be transferred to a recruiter” or equivalent visible at all times.

Suppression-list management

  • Global Neuroscale suppression list. Applied across all Customer workspaces for any Candidate who has requested global removal.
  • Customer-specific suppression list. Applied within the requesting Customer’s workspace only; not automatically propagated to other Customers (a Candidate who opts out of one Customer’s outreach may still be in scope for another Customer’s outreach unless they also exercise the global opt-out).
  • Suppression-list integrity audit. Performed at least every 30 days; entries with corrupted hashes are repaired and the corresponding Candidate is suppressed pending repair.

Records retention

  • Consent records: retained for 7 years per FCC and per the executed Customer DPA.
  • Suppression-list entries: indefinite.
  • Outbound message logs: per the Records Retention Schedule (Application logs 90 days hot; 13 months cold).
  • Customer-side notices delivered (AEDT, Colorado AI Act, Illinois HB 3773 notices, etc.): retained by Customer per applicable law and Customer’s records-retention policy.

Cross-references

Governance

  • Policy Owner: General Counsel.
  • Co-signers: CTO, CISO.
  • Annual review: This policy is reviewed at least annually and on each material change to TCPA / CAN-SPAM / CASL / PECR rules, FCC rulemakings (e.g., reaffirmation of the 1:1 consent rule), EU AI Act implementing acts, or platform architecture.

Exceptions

Exceptions require written General Counsel approval and are documented in SharePoint — Compliance. No exception may permit outbound communications that would violate TCPA, CAN-SPAM, CASL, PECR, or analogous law.

Violations & enforcement

Violations of this policy may result in disciplinary action up to and including termination. Where a violation has caused unlawful outbound communications affecting Candidates, the General Counsel will determine whether the Incident Response Plan breach-notification matrix is engaged.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 10, 2026Initial versionCameron WolfeIshan Jadhwani