Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Purpose
To prevent unauthorized physical access or damage to Neuroscale’s information and information-processing facilities.Scope
All Neuroscale offices and locations. Applies to all Neuroscale employees and external parties with physical access to Neuroscale-owned or leased facilities.Neuroscale operates a physical office at 46175 Westlake Dr Ste 300, Sterling, VA 20165. The controls below apply at that office and at any additional Neuroscale-operated facility.Neuroscale’s production infrastructure runs in AWS data centers (primary) and Vultr data centers (secondary, for compute and database hosting). Physical security at the data-center level is each cloud provider’s responsibility, attested via SOC 2, ISO 27001, and other certifications (AWS publishes its attestations; Vultr provides SOC 2 Type II reports under NDA).
Physical security perimeter
Physical offices and processing facilities meet local building codes for construction materials. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of personnel — for example, private offices, wiring closets, print and server rooms, and server racks.Physical entry controls
Secure areas are protected by appropriate entry controls. The Sterling, VA office is controlled by mechanical locks and Neuroscale-issued keys (no electronic badge system); CCTV is used at common-area entry points and shared spaces, and recorded events are reviewed as needed. Where Neuroscale operates or leases additional premises that include a centralized electronic access-control system, that system provides granular access control for individual personnel and access events are logged. Production systems are cloud-hosted (no Neuroscale facility stores or processes production data); where Neuroscale operates facilities that handle sensitive internal data, cameras and physical intrusion-detection (alarm) systems are used where deployed.Physical access provisioning and review
Physical access to Neuroscale-operated facilities is granted, changed, and revoked on an authorized basis tied to employment status:- Office keys (and, where deployed, electronic access credentials) are issued to a worker only when their role requires on-site access, on authorization from the office/facilities owner.
- On separation, or a role change that removes the need for on-site access, issued keys and credentials are recovered or revoked through offboarding — keys on or before the separation date, and any electronic credentials within the access-termination SLAs in the Access Control Policy.
- The list of personnel holding office keys or facility-access credentials is reviewed at least annually, alongside the logical access reviews. Discrepancies are remediated, and where a key cannot be accounted for the affected locks are re-keyed.
Securing offices, rooms, and facilities
Physical security for offices, rooms, and facilities is designed to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems.Protecting against external & environmental threats
Physical protection against natural disasters, malicious attack, or accidents is designed and applied. Secure areas are monitored through controls such as intrusion-detection systems, alarms, and video surveillance where feasible. Visitor and third-party access to secure areas is restricted to reduce the risk of information loss and theft. Production processing facilities are equipped with appropriate environmental and continuity controls including fire-suppression systems, climate control, and emergency backup power. Hardware is regularly serviced per manufacturer recommendations.Equipment and cabling security
Power and telecommunications cabling carrying data or supporting information services within Neuroscale-operated offices is protected from interception, interference, and damage — for example, by keeping network and power cabling within the controlled office space and locked wiring closets, and securing or routing exposed runs away from public thoroughfares where practical. Cabling and networking equipment in shared or landlord-controlled building risers is maintained by the building operator under the lease. Cabling, power, and hardware within the production data centers are the responsibility of the cloud providers (AWS and Vultr) and are attested through their SOC 2 and ISO/IEC 27001 certifications.Clear desk and clear screen
Clear-desk rules for printed materials and removable storage media, and clear-screen rules for workstations, are defined and enforced under the Information Security Policy. They apply at all Neuroscale offices and secure areas.Working in secure areas / visitor management
Visitors, delivery personnel, outside support technicians, and other external agents are not permitted access to secure areas without escort or appropriate oversight. Third parties in secure areas sign in and out on a visitor log and are escorted or monitored by Neuroscale personnel. Personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas — or report the observation to the CHRO. External-party access to secure areas is confirmed with appropriate Neuroscale personnel prior to being granted. The personnel providing access are responsible for ensuring third parties adhere to all security requirements and are accountable for actions taken by outsiders they admit. Visitors may work unescorted only if the sponsoring party can ensure they will not have unauthorized access to information systems, networks, or data.Visitor-log and CCTV retention
Visitor sign-in/sign-out records are retained for twelve (12) months from the date of the visit, after which records are securely deleted unless an active legal hold, ongoing investigation, or recordable workplace-incident report requires longer retention. CCTV footage is retained for thirty (30) days unless preserved for an investigation. (The Sterling office does not use an electronic badge-access system; if Neuroscale deploys one at the Sterling office or any future premises, electronic badge-access logs will be retained for the same twelve (12) months as visitor records.) Retention follows the Records Retention Schedule; workplace-incident records that intersect with a visitor entry are retained per the Workplace Violence Prevention Policy. Access to visitor and CCTV records is restricted to authorized HR, Security, and Legal personnel, consistent with the Employee Privacy Policy.Delivery & loading areas
Delivery and loading areas, and other points where unauthorized persons could enter secure areas, are controlled and isolated from information-processing facilities where possible.Supplier, vendor, and third-party security
Suppliers, vendors, and third parties comply with Neuroscale physical-security and environmental-controls requirements. Neuroscale assesses third-party physical-security adequacy as part of the vendor-management process per the Third-Party Management Policy.Exceptions
Requests for exceptions must be submitted to the CISO for approval.Violations & enforcement
Report violations to the CISO. Violations may result in suspension of privileges and disciplinary action up to and including termination.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
| 1.1 | June 18, 2026 | Added physical access provisioning/review, equipment and cabling security, and clear desk/screen cross-reference; clarified data-center access as cloud-provider-inherited. | Cameron Wolfe | Pending approval |