Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Purpose
To prevent unauthorized physical access or damage to Neuroscale’s information and information-processing facilities.Scope
All Neuroscale offices and locations. Applies to all Neuroscale employees and external parties with physical access to Neuroscale-owned or leased facilities.Neuroscale operates a physical office at 46175 Westlake Dr Ste 300, Sterling, VA 20165. The controls below apply at that office and at any additional Neuroscale-operated facility.Neuroscale’s production infrastructure runs in AWS data centers (primary) and Vultr data centers (secondary, for compute and database hosting). Physical security at the data-center level is each cloud provider’s responsibility, attested via SOC 2, ISO 27001, and other certifications (AWS publishes its attestations; Vultr provides SOC 2 Type II reports under NDA).
Physical security perimeter
Physical offices and processing facilities meet local building codes for construction materials. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of personnel — for example, private offices, wiring closets, print and server rooms, and server racks.Physical entry controls
Secure areas are protected by appropriate entry controls. The Sterling, VA office is controlled by mechanical locks and Neuroscale-issued keys (no electronic badge system); CCTV is used at common-area entry points and shared spaces, and recorded events are reviewed as needed. Where Neuroscale operates or leases additional premises that include a centralized electronic access-control system, that system provides granular access control for individual personnel and access events are logged. Cameras and intrusion-detection systems are used at facilities that store or process production or sensitive internal data.Securing offices, rooms, and facilities
Physical security for offices, rooms, and facilities is designed to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems.Protecting against external & environmental threats
Physical protection against natural disasters, malicious attack, or accidents is designed and applied. Secure areas are monitored through controls such as intrusion-detection systems, alarms, and video surveillance where feasible. Visitor and third-party access to secure areas is restricted to reduce the risk of information loss and theft. Production processing facilities are equipped with appropriate environmental and continuity controls including fire-suppression systems, climate control, and emergency backup power. Hardware is regularly serviced per manufacturer recommendations.Working in secure areas / visitor management
Visitors, delivery personnel, outside support technicians, and other external agents are not permitted access to secure areas without escort or appropriate oversight. Third parties in secure areas sign in and out on a visitor log and are escorted or monitored by Neuroscale personnel. Personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas — or report the observation to the CHRO. External-party access to secure areas is confirmed with appropriate Neuroscale personnel prior to being granted. The personnel providing access are responsible for ensuring third parties adhere to all security requirements and are accountable for actions taken by outsiders they admit. Visitors may work unescorted only if the sponsoring party can ensure they will not have unauthorized access to information systems, networks, or data.Visitor-log and CCTV retention
Visitor sign-in/sign-out records are retained for twelve (12) months from the date of the visit, after which records are securely deleted unless an active legal hold, ongoing investigation, or recordable workplace-incident report requires longer retention. CCTV footage is retained for thirty (30) days unless preserved for an investigation. (The Sterling office does not use an electronic badge-access system; if Neuroscale deploys one at the Sterling office or any future premises, electronic badge-access logs will be retained for the same twelve (12) months as visitor records.) Retention follows the Records Retention Schedule; workplace-incident records that intersect with a visitor entry are retained per the Workplace Violence Prevention Policy. Access to visitor and CCTV records is restricted to authorized HR, Security, and Legal personnel, consistent with the Employee Privacy Policy.Delivery & loading areas
Delivery and loading areas, and other points where unauthorized persons could enter secure areas, are controlled and isolated from information-processing facilities where possible.Supplier, vendor, and third-party security
Suppliers, vendors, and third parties comply with Neuroscale physical-security and environmental-controls requirements. Neuroscale assesses third-party physical-security adequacy as part of the vendor-management process per the Third-Party Management Policy.Exceptions
Requests for exceptions must be submitted to the CISO for approval.Violations & enforcement
Report violations to the CISO. Violations may result in suspension of privileges and disciplinary action up to and including termination.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |