Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
This policy states the principle of role assignment. The operational truth-of-record — who currently fills each role, and how every responsibility maps to a role — is in Roles & Personnel. The two documents must stay in sync; any change to one requires a change to the other in the same PR.

Statement of policy

Neuroscale is committed to conducting business in compliance with all applicable laws, regulations, and company policies. This policy outlines the role structure required to protect electronic information systems and related equipment from unauthorized use.

Objective

To define a small, stable set of roles that own information-security responsibilities across Neuroscale, so that every responsibility in the policy library has exactly one accountable role, segregation-of-duties is preserved, and continuity is maintained when a specific individual is unavailable.

Applicability

This policy applies to all Neuroscale infrastructure, network segments, systems, and to employees and contractors who provide security and IT functions. Awareness applies to the broader Neuroscale community — partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

Role taxonomy

Neuroscale uses three tiers of roles, plus regulatory aliases:

Tier 1 — Executive (6)

The buck stops here for each function. Every Tier-1 role is filled by a single named individual.
RoleFunction
CEOFinal accountability; chairs the Executive Team; owns risk acceptance and final breach determination.
CTOEngineering and product. Owns architecture, customer-facing service delivery, and continuity of customer service.
CISOSecurity, IT, and compliance. Owns the information security program end-to-end.
CFOFinance. Owns vendor-contract review and oversight of third-party risk management.
General CounselLegal and privacy. Owns breach notification, privacy program, contracts, and whistleblower intake. Holds regulatory titles where required.
CHROPeople. Owns hiring, onboarding/offboarding, training, code of conduct, employment law, and physical/office safety.

Tier 2 — Operational (6)

Operational roles where segregation-of-duties matters. At Neuroscale’s current size, most are filled by an executive (see Roles & Personnel). They split out as the company grows.
RoleFunction
Engineering LeadProduction change-management approval; PR-review chain-of-trust; release-checklist sign-off; vulnerability remediation.
Engineering On-callFirst responder for production issues; rotates among senior engineers; member of the IRT during security incidents.
Security On-callFirst-touch security triage and severity assignment.
Incident ManagerPer-incident decision-maker during the response period. Default = CISO; on-call IRT lead steps in when CISO unavailable.
System OwnerPer-system accountable engineer for an asset in the Vanta asset inventory. Approves non-standard access and changes to that system.
Data OwnerPer-data-domain function lead. Sets retention period (with Legal) and approves transfer outside the company.

Tier 3 — Label descriptors (4)

Relational labels used in policy text. Not roles you’d staff.
LabelMeaning
ManagerAn employee’s direct supervisor.
Hiring ManagerThe person who opened a requisition.
Risk OwnerThe exec accountable for a specific entry in the risk register.
Vendor OwnerThe employee who sponsors a vendor relationship.

Governance bodies

BodyMembers
Board of DirectorsIndependent governance. Annual oversight of cyber-risk, privacy, and compliance posture.
Executive TeamCEO + CTO + CISO + CFO + General Counsel + CHRO. Collective decision-making for risk acceptance, breach determination, BC/DR activation, and capital approval.

Regulatory aliases

The following regulatory titles are required by specific frameworks. They are not separate roles — each maps to a Tier-1 executive.
Regulatory titleRequired byFilled by
Data Protection Officer (DPO)GDPR Art. 37 — mandatory appointment is not currently triggered for Neuroscale (no public-authority status, no large-scale regular and systematic monitoring of data subjects, no large-scale processing of special-category data). The General Counsel performs DPO duties voluntarily as a matter of program hygiene. See DPO independence note below for the conflict considerations that apply to a GC acting as voluntary DPO; the position will be reassessed on each material scope change (new product line, new data category, new monitoring activity, expansion into the EU).General Counsel
Privacy OfficerCCPA / CPRA, US state privacy lawsGeneral Counsel
IT ManagerVendor / customer questionnaires (legacy term)CISO
Compliance ManagerVendor / customer questionnaires (legacy term)CISO

Responsibilities by role

CEO

  • Chairs the Executive Team.
  • Final accountability for organizational risk acceptance and treatment.
  • Final breach determination if the Executive Team cannot reach consensus.
  • External communications during major incidents (with General Counsel and CFO).
  • Communication path between the Executive Team and the Board of Directors.

CTO

  • Engineering and product leadership.
  • Owns the Engineering Lead function operationally until the company splits the role.
  • Approves use of customer data in non-production environments.
  • Maintains continuity of services during a disaster (with the CISO).
  • Owns customer/product data as a Data Owner.

CISO

  • End-to-end ownership of the information security program.
  • Approves all policy exceptions.
  • Maintains the risk register; communicates risks to the Executive Team and Board.
  • Coordinates development and maintenance of all security policies and standards.
  • Liaison to the Board, law enforcement, internal audit, and General Counsel for security matters.
  • Default Incident Manager for security incidents.
  • Owns identity management, access control, vulnerability management, and key management.
  • Owns the IT function operationally until the company splits the role.

CFO

  • Finance, accounting, and treasury.
  • Oversight of third-party risk-management process.
  • Reviews vendor service contracts.
  • Co-approves vendors with Confidential-data access (with the CISO).
  • Owns financial data as a Data Owner.

General Counsel

  • Legal advice across the company.
  • Holds the DPO and Privacy Officer titles.
  • Determines, with the CEO and Executive Team, if an incident is a reportable breach.
  • Reviews and approves all external breach notices in writing.
  • Legal-hold determination and tracking.
  • Owns the Whistleblower program (with the CHRO).
  • Owns legal/contract data as a Data Owner.

CHRO

  • People function — hiring, onboarding, offboarding, performance.
  • Background checks (Checkr) and FCRA-compliant adverse-action process.
  • Annual security-awareness training enforcement.
  • Code-of-Conduct enforcement.
  • Disciplinary process for policy violations.
  • Internal communications during a disaster; physical health and safety of the workforce.
  • Office physical security where Neuroscale operates physical facilities.
  • Owns HR data as a Data Owner.

Engineering Lead

  • Approves significant production changes and release sign-offs.
  • Approves the PR-review chain — every code change has at least one approving review from someone other than the author.
  • Owns vulnerability remediation against SLA.
  • Owns the engineering portion of backup, logging, and monitoring operations.
  • Annual secure-development training delivery.

Engineering On-call

  • First responder for production issues.
  • IRT member during security incidents.
  • Provisioning / deprovisioning execution backup.

Security On-call

  • First-touch security triage and severity assignment.
  • Initial escalation to Executive Team for P0.

Incident Manager

  • Primary decision-maker during the response period.
  • Communicates status updates to stakeholders.
  • Determines and assigns follow-up actions.
  • Reports incident details that may trigger breach reporting, in writing to the CISO and General Counsel.

System Owner

  • Maintains confidentiality, integrity, and availability of the systems they own.
  • Approves technical access and change requests for non-standard access to those systems.
  • Participates in quarterly access reviews for their system.

Data Owner

  • Sets retention period (in consultation with General Counsel) for their data domain.
  • Approves transfer of confidential data outside the company.
  • Approves classification of new data sets within their domain.

All employees and contractors

  • Act in a manner that does not place at risk the health and safety of themselves, others, or the information and resources they use.
  • Help identify areas where risk-management practices should be adopted.
  • Take practical steps to minimize Neuroscale’s exposure to contractual and regulatory liability.
  • Adhere to company policies and the Code of Conduct.
  • Report incidents and observed anomalies or weaknesses.

Role concentration & compensating controls

Several Tier-1 roles are held by one person at Neuroscale’s current size. SOC 2 (TSC CC1.3, CC5.3), ISO/IEC 27001:2022 Annex A.5.3, and GDPR do not prohibit role concentration where segregation-of-duties (SoD) risks are documented and compensated. Concentrations and their compensating controls are below; named holders are in Roles & Personnel.
Role concentrationSoD riskCompensating control
CTO + CISO held by one personThe same individual proposes engineering changes (CTO) and approves their security implications (CISO); the same individual investigates incidents (CISO) and owns the systems involved (CTO as Data Owner of customer/product data).Code changes follow the PR-review chain in Secure Development and Code Review — every production change has an approving review from someone other than the author. Privileged production access requires a second approver per Access Control. Risk acceptance and breach determination require the CEO (and, for breaches, the General Counsel) — the CTO/CISO cannot self-approve. Quarterly access reviews include reviewer attestation independent of the granter.
CFO + CHRO held by one personThe same individual oversees vendor risk-management (CFO) and the disciplinary / whistleblower process (CHRO); contract review (CFO) and Code-of-Conduct enforcement (CHRO) sit with one decision-maker.Vendor approval for any vendor with Confidential-data access requires CISO + CFO sign-off per Vendor Risk Assessment — the CFO cannot solo-approve. Whistleblower intake is co-owned with the General Counsel per Whistleblower; reports involving the CFO/CHRO route directly to General Counsel and the CEO. Disciplinary actions involving the CHRO are escalated to the CEO.
General Counsel held by outside counsel rather than an in-house employeeExternal counsel may have less day-to-day visibility into Neuroscale operations; engagement scope must cover the full set of GC duties listed above (breach determination, DPIA sign-off, whistleblower escalation).A standing engagement letter scopes the outside-counsel role to all GC duties in this policy. The CEO is the internal point of contact and ensures matters route to outside counsel within defined SLAs. If GDPR Article 37 is triggered, an independent external DPO is retained separately to satisfy the Art. 38(6) independence requirement (outside counsel may also serve as DPO if independence is documented).
Default escalation on conflict. When a role-concentrated individual would otherwise self-approve, the decision escalates one level: CEO for an executive conflict, Board for a CEO conflict, outside counsel / external DPO for a legal or privacy conflict. The escalation is recorded in the relevant register (risk, incident, vendor, or whistleblower).

DPO independence note

GDPR Art. 38(6) requires that a DPO not perform tasks or duties that result in a conflict of interest with the DPO function. EDPB / former Article 29 Working Party guidance (WP243 rev.01, 2017) and decisions by member-state supervisory authorities (e.g., the Bavarian DPA’s 2020 decision in Munich GmbH, and the Belgian APD’s 2020 fine on Proximus) treat the General Counsel role — and any role that participates in determining the purposes and means of processing — as creating a structural conflict that disqualifies the holder from also serving as the mandatory Art. 37 DPO. While Art. 37 is not currently triggered, Neuroscale acknowledges this conflict consideration:
  • The General Counsel performs DPO-like duties voluntarily as a matter of program hygiene. Documentation does not represent that the GC is an “Art. 37 DPO,” and external-facing materials (privacy notice, RoPA, customer questionnaires) describe the GC as Neuroscale’s privacy program lead rather than as a designated DPO.
  • If a future change in scope causes Art. 37 to apply, Neuroscale will retain an independent person to serve as the Art. 37 DPO — either an in-house person whose other duties do not create a conflict, or an external DPO (a “DPO-as-a-service” arrangement, or a partner of outside counsel ring-fenced for DPO duties). Outside counsel may serve as DPO only if independence from controller/processor decision-making is documented and the DPO reports directly to the highest level of management consistent with Art. 38(3).
  • Where a Member-State law (e.g., Germany’s BDSG §38) imposes a DPO obligation on lower headcount thresholds, the trigger analysis is performed per jurisdiction; voluntary GC-as-DPO is replaced with an independent appointment where a national law would require it.
Review. The CISO reviews this section annually and on any Tier-1 reassignment. Material changes require Executive Team approval and an update to Roles & Personnel.

Policy compliance

The CISO measures compliance through reports, internal/external audits, and feedback to the policy owner. Exceptions require advance approval from the CISO. Non-compliance is addressed with management and the CHRO and can result in disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani