Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To ensure protection of Neuroscale data and assets that are shared with, accessible to, or managed by suppliers — including external parties or third-party organizations such as service providers, vendors, and customers — and to maintain an agreed level of information security and service delivery in line with supplier agreements. This document outlines a baseline of security controls that Neuroscale expects partners and other third-party companies to meet when interacting with Neuroscale Confidential data.

Scope

All data and information systems owned or used by Neuroscale that are business-critical and/or process, store, or transmit Confidential data. Applies to all Neuroscale employees and external parties — consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers — with access to Neuroscale data, systems, networks, or system resources.

Policy

Information-security requirements for mitigating the risks associated with a supplier’s access to Neuroscale assets are agreed with the supplier and documented. For all service providers who may access Neuroscale Confidential data, systems, or networks, proper due diligence is performed prior to provisioning access or engaging in processing activities. We track which regulatory or certification requirements (ISO 27001, SOC 2, CCPA, GDPR, and any other certification or regulation a customer flow-down requires) are managed by each provider and which are managed by Neuroscale. The vendor-management process is described in Vendor Risk Assessment. The active vendor list lives in Vanta.

Information security in third-party relationships

Addressing security in agreements

Relevant information-security requirements are established and agreed with each supplier that may access, process, store, transmit, or impact the security of Confidential data and systems, or provide IT infrastructure components for Neuroscale. Written agreements are maintained that include the service provider’s acknowledgment of their responsibilities for confidentiality of company and customer data, and any commitments regarding integrity, availability, or privacy controls they manage. Standard form agreements:

Technology supply chain

Risks associated with suppliers and the technology supply chain are considered and assessed. Where warranted, supplier agreements include requirements to address the relevant information-security risks associated with information and communications-technology services and the product supply chain.

Third-party service-delivery management

Monitoring & review

Supplier service delivery is regularly monitored, reviewed, and audited. Supplier security and service-delivery performance is reviewed at least annually.

Management of changes

Changes to the provision of services by suppliers — including changes to agreements, services, technology, policies, procedures, or controls — are managed considering the criticality of the business information, systems, and processes involved. Neuroscale assesses the risk of any material changes by suppliers and modifies agreements and services accordingly.

Third-party risk management

Potential risks posed by sharing Confidential data or providing access to company systems are identified, documented, and addressed per this policy. Neuroscale shall not share or transmit Confidential data to a third party without first performing a third-party risk assessment and fully executing a written contract, statement of work, or service agreement describing expected service levels and any specific information-security requirements.

Information security for use of cloud services

Responsibilities & risk management

Security requirements & control

  • Neuroscale is responsible for all customer controls defined in cloud service providers’ shared-responsibility matrices.

Service selection & usage scope

  • Reviews of cloud-service agreements for inherently high-risk providers are performed annually.

Incident management

Service review & exit strategy

  • Risks related to exit and vendor lock-in are evaluated prior to acquisition as part of the vendor security assessment.

Provider & customer agreement

  • Agreements with cloud providers specify protections for Neuroscale data and service availability, even if predefined and non-negotiable.
  • Where possible, Neuroscale seeks advance notification of substantive changes — technical infrastructure, data-storage location, sub-contractor usage.

Ongoing management

  • Information about how to obtain and use security capabilities provided by the cloud provider is assessed at acquisition.

AI / model providers — supplemental due-diligence tier

Third parties whose service includes hosted AI inference, model training, or fine-tuning on Neuroscale-supplied data — including, currently, Anthropic, OpenAI, xAI, and Cerebras — are subject to the standard due-diligence above and the following supplemental controls:
  • Executed DPA with SCC Module 2/3 and UK IDTA where applicable. Status is published on the Subprocessor List.
  • Training-data carve-out. The contract must prohibit use of Neuroscale-submitted Customer content for training the provider’s foundation models for general availability, and must restrict any abuse-monitoring retention to the minimum necessary period.
  • Sub-processor disclosure and notice. The provider must publish a sub-processor list and provide change notice consistent with Neuroscale’s commitments to its Customers.
  • Output / feature documentation. For any provider that contributes outputs surfaced to Customers in a high-risk feature, model cards and intended-purpose documentation are kept on file in the AI Model Registry.
  • Annual review. The CISO reviews the AI-provider tier at least annually and on any material change in the provider’s terms, privacy posture, or sub-processor list.

Third-party security standards

All third parties must maintain reasonable organizational and technical controls as assessed by Neuroscale. Assessment of third parties that receive, process, or store Confidential data — or access Neuroscale’s resources — considers the following controls based on the service and data sensitivity:
  • Information Security Policy — third parties maintain executive-supported, regularly reviewed policies.
  • Risk Assessment & Treatment — programs to assess, evaluate, and manage information and technology risks.
  • Operations Security — testing, anti-malware, network protection, technical vulnerability management, logging/monitoring, incident response, BC planning.
  • Access Control — technical access-control program.
  • Secure System Development — secure-development program with risk assessment, change management, code standards, code review, and testing.
  • Physical & Environmental Security — meets the requirements of the Physical Security Policy where storing or processing confidential data.
  • Human Resources — HR processes including criminal background checks for any employees or contractors who access Neuroscale confidential information.
Neuroscale considers all applicable regulations and laws when evaluating suppliers and third parties that access, store, process, or transmit Neuroscale confidential data. Assessments consider:
  • Protection of customer data, organizational records, and records retention/disposition.
  • Privacy of Personally Identifiable Information (PII).

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Report violations to the CISO. Violations may result in suspension of privileges and disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani