Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To prevent unauthorized physical access or damage to Neuroscale’s information and information-processing facilities.

Scope

All Neuroscale offices and locations. Applies to all Neuroscale employees and external parties with physical access to Neuroscale-owned or leased facilities.
Neuroscale operates a physical office at 46175 Westlake Dr Ste 300, Sterling, VA 20165. The controls below apply at that office and at any additional Neuroscale-operated facility.Neuroscale’s production infrastructure runs in AWS data centers (primary) and Vultr data centers (secondary, for compute and database hosting). Physical security at the data-center level is each cloud provider’s responsibility, attested via SOC 2, ISO 27001, and other certifications (AWS publishes its attestations; Vultr provides SOC 2 Type II reports under NDA).

Physical security perimeter

Physical offices and processing facilities meet local building codes for construction materials. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of personnel — for example, private offices, wiring closets, print and server rooms, and server racks.

Physical entry controls

Secure areas are protected by appropriate entry controls. The Sterling, VA office is controlled by mechanical locks and Neuroscale-issued keys (no electronic badge system); CCTV is used at common-area entry points and shared spaces, and recorded events are reviewed as needed. Where Neuroscale operates or leases additional premises that include a centralized electronic access-control system, that system provides granular access control for individual personnel and access events are logged. Production systems are cloud-hosted (no Neuroscale facility stores or processes production data); where Neuroscale operates facilities that handle sensitive internal data, cameras and physical intrusion-detection (alarm) systems are used where deployed.

Physical access provisioning and review

Physical access to Neuroscale-operated facilities is granted, changed, and revoked on an authorized basis tied to employment status:
  • Office keys (and, where deployed, electronic access credentials) are issued to a worker only when their role requires on-site access, on authorization from the office/facilities owner.
  • On separation, or a role change that removes the need for on-site access, issued keys and credentials are recovered or revoked through offboarding — keys on or before the separation date, and any electronic credentials within the access-termination SLAs in the Access Control Policy.
  • The list of personnel holding office keys or facility-access credentials is reviewed at least annually, alongside the logical access reviews. Discrepancies are remediated, and where a key cannot be accounted for the affected locks are re-keyed.
Physical access to the data centers that host production systems is provisioned, reviewed, and revoked by the cloud providers (AWS and Vultr). Neuroscale relies on those providers’ SOC 2 and ISO/IEC 27001 attestations for data-center access governance rather than operating its own data-center access process.

Securing offices, rooms, and facilities

Physical security for offices, rooms, and facilities is designed to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems.

Protecting against external & environmental threats

Physical protection against natural disasters, malicious attack, or accidents is designed and applied. Secure areas are monitored through controls such as intrusion-detection systems, alarms, and video surveillance where feasible. Visitor and third-party access to secure areas is restricted to reduce the risk of information loss and theft. Production processing facilities are equipped with appropriate environmental and continuity controls including fire-suppression systems, climate control, and emergency backup power. Hardware is regularly serviced per manufacturer recommendations.

Equipment and cabling security

Power and telecommunications cabling carrying data or supporting information services within Neuroscale-operated offices is protected from interception, interference, and damage — for example, by keeping network and power cabling within the controlled office space and locked wiring closets, and securing or routing exposed runs away from public thoroughfares where practical. Cabling and networking equipment in shared or landlord-controlled building risers is maintained by the building operator under the lease. Cabling, power, and hardware within the production data centers are the responsibility of the cloud providers (AWS and Vultr) and are attested through their SOC 2 and ISO/IEC 27001 certifications.

Clear desk and clear screen

Clear-desk rules for printed materials and removable storage media, and clear-screen rules for workstations, are defined and enforced under the Information Security Policy. They apply at all Neuroscale offices and secure areas.

Working in secure areas / visitor management

Visitors, delivery personnel, outside support technicians, and other external agents are not permitted access to secure areas without escort or appropriate oversight. Third parties in secure areas sign in and out on a visitor log and are escorted or monitored by Neuroscale personnel. Personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas — or report the observation to the CHRO. External-party access to secure areas is confirmed with appropriate Neuroscale personnel prior to being granted. The personnel providing access are responsible for ensuring third parties adhere to all security requirements and are accountable for actions taken by outsiders they admit. Visitors may work unescorted only if the sponsoring party can ensure they will not have unauthorized access to information systems, networks, or data.

Visitor-log and CCTV retention

Visitor sign-in/sign-out records are retained for twelve (12) months from the date of the visit, after which records are securely deleted unless an active legal hold, ongoing investigation, or recordable workplace-incident report requires longer retention. CCTV footage is retained for thirty (30) days unless preserved for an investigation. (The Sterling office does not use an electronic badge-access system; if Neuroscale deploys one at the Sterling office or any future premises, electronic badge-access logs will be retained for the same twelve (12) months as visitor records.) Retention follows the Records Retention Schedule; workplace-incident records that intersect with a visitor entry are retained per the Workplace Violence Prevention Policy. Access to visitor and CCTV records is restricted to authorized HR, Security, and Legal personnel, consistent with the Employee Privacy Policy.

Delivery & loading areas

Delivery and loading areas, and other points where unauthorized persons could enter secure areas, are controlled and isolated from information-processing facilities where possible.

Supplier, vendor, and third-party security

Suppliers, vendors, and third parties comply with Neuroscale physical-security and environmental-controls requirements. Neuroscale assesses third-party physical-security adequacy as part of the vendor-management process per the Third-Party Management Policy.

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Report violations to the CISO. Violations may result in suspension of privileges and disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani
1.1June 18, 2026Added physical access provisioning/review, equipment and cabling security, and clear desk/screen cross-reference; clarified data-center access as cloud-provider-inherited.Cameron WolfePending approval