Policy Owner: General Counsel
Co-signers: CFO, CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Co-signers: CFO, CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Purpose
To ensure that Neuroscale’s products, services, technology, and business relationships comply with U.S. economic sanctions, U.S. and other applicable export-control laws, and anti-boycott regulations. This policy establishes the controls Neuroscale uses to identify and mitigate trade-compliance risk and the obligations of personnel who participate in sales, vendor onboarding, customer success, engineering, finance, and legal.Scope
All NEUROSCALE LLC operations, employees (U.S. and foreign-national), contractors, and other personnel; all Neuroscale software, services, and technology; all customers, partners, vendors, distributors, and other counterparties; and all transactions involving the export, re-export, or in-country transfer of items, software, technology, or services.Policy
Neuroscale conducts business in compliance with:- U.S. economic sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) under 31 C.F.R. Chapter V and applicable Executive Orders.
- U.S. export controls administered by the U.S. Department of Commerce, Bureau of Industry and Security (BIS), under the Export Administration Regulations (EAR), 15 C.F.R. Parts 730–774.
- U.S. anti-boycott laws under the EAR Part 760 and Section 999 of the Internal Revenue Code.
- U.S. arms-export controls under the International Traffic in Arms Regulations (ITAR), 22 C.F.R. Parts 120–130, to the extent applicable.
- Applicable foreign export-control and sanctions regimes in jurisdictions where Neuroscale does business (e.g., EU dual-use Regulation (EU) 2021/821, UK Export Control Order, etc.).
OFAC sanctions
Comprehensive country-based programs
Neuroscale does not provide products, services, software, or support to persons ordinarily resident in, located in, or organized under the laws of jurisdictions subject to comprehensive U.S. sanctions. Last reviewed: May 8, 2026 (next quarterly review: August 2026). As of that date these are:- Cuba (31 C.F.R. Part 515) — note: certain Internet-based services may be authorized under the Cuba Internet General License at §515.578; counsel reviews any Cuba-facing engagement.
- Iran (31 C.F.R. Part 560)
- North Korea / DPRK (31 C.F.R. Part 510)
- Syria (31 C.F.R. Part 542)
- Crimea, so-called Donetsk People’s Republic (DNR), and so-called Luhansk People’s Republic (LNR) regions of Ukraine (E.O. 13685; E.O. 14065)
Other restricted regions and programs
The following are subject to broad but not comprehensive restrictions and require General Counsel review before any transaction. Last reviewed: May 8, 2026 (next quarterly review: August 2026).- Russia and Belarus — under E.O. 14024, E.O. 14065, E.O. 14066, E.O. 14068, E.O. 14071, E.O. 14114, and successor orders, including the BIS “EAR §746.5–§746.8” Russia / Belarus controls and the OFAC services prohibitions on certain IT consultancy, IT design, and “covered software” services to persons in Russia under E.O. 14071 (most recently expanded by the OFAC determination of June 12, 2024). Counsel updates this section on each OFAC determination, BIS rule change, or successor Executive Order.
- Venezuela (E.O. 13692 and successor orders) — Government-of-Venezuela-related restrictions.
- Sectoral and list-based programs — including the SDN List, Sectoral Sanctions Identifications (SSI) List, Non-SDN Menu-Based Sanctions (NS-MBS) List, and the Non-SDN Chinese Military-Industrial Complex Companies (NS-CMIC) List.
Specially Designated Nationals (SDN) and other restricted lists
All customers, vendors, partners, distributors, and end-users are screened against the OFAC SDN List, the BIS Entity List (15 C.F.R. Part 744 Supp. No. 4), the BIS Denied Persons List, the BIS Unverified List, the State Department’s Debarred Parties List, and applicable EU and UK consolidated lists, before onboarding and on a continuing basis thereafter. Vendor screening is integrated with the Vendor Risk Assessment process. Customer screening is integrated with the customer-onboarding workflow. Screening is performed by an internal Neuroscale-built service that queries the U.S. International Trade Administration Consolidated Screening List API, which aggregates the OFAC SDN, BIS Entity, BIS Denied Persons, BIS Unverified, State Department Debarred, State Department Nonproliferation Sanctions, and DDTC AECA Debarred lists. EU and UK consolidated-list checks are performed against the published EU Financial Sanctions Files (FSF) and UK OFSI Consolidated List feeds, ingested by the same service. Re-screening runs on each upstream list update (typically daily for the U.S. consolidated list, and on the published cadence for the EU and UK feeds). A potential or confirmed match is escalated immediately to the General Counsel; any onboarding, payment, or service activity for the matched party is paused pending resolution. Confirmed SDN matches require an OFAC blocking and reporting determination by the General Counsel.Export Administration Regulations (EAR)
Product classification
Neuroscale software and technology are reviewed for export classification under the EAR Commerce Control List (15 C.F.R. Part 774, Supplement No. 1).- Most Neuroscale SaaS tooling and APIs are classified as ECCN 5D002.c.1 (“information security” software) where they incorporate non-standard cryptography (e.g., TLS, application-layer Vault Transit envelope encryption), and rely on License Exception ENC for “mass market” / commercial encryption per 15 C.F.R. §§740.17(b)(1) and 742.15(b). The classification of each product, SDK, and material technology release is recorded in the Export Classification Matrix with a “Last reviewed:
<date>” line. The General Counsel, with outside trade-compliance counsel as needed, reviews the classification at least annually and on each material functional change (new cryptographic primitive, new API surface, new packaging). - Items that do not incorporate controlled functionality are expected to classify as EAR99.
- Open-source / publicly available software, where it qualifies under 15 C.F.R. §742.15(b) and §734.7, may be excluded from the EAR; counsel reviews per release.
Encryption registration and reporting
For products classified 5D002 and relying on License Exception ENC:- A one-time encryption registration with BIS is required prior to first export of any 5D002 / ENC-eligible item. The General Counsel files the encryption registration with BIS through SNAP-R and records the assigned Encryption Registration Number (ERN) in the Export Classification Matrix. As of the effective date of this policy, the General Counsel files the registration in advance of the first foreign release of any 5D002 product; if the ERN is not yet on file when an export is contemplated, the General Counsel pauses the export until the registration is filed.
- A self-classification report is filed by the General Counsel annually by February 1 under 15 C.F.R. §740.17(b)(3), covering items self-classified as ENC-eligible “mass market” encryption that were exported during the prior calendar year. The filing is submitted via the BIS encryption email portal in the format prescribed by Supplement No. 8 to Part 742; the receipt and the file are retained per Recordkeeping.
- Where applicable, the semi-annual encryption reporting under §740.17(e) is filed.
Deemed-export rules
The release of controlled technology or source code to a foreign national in the United States is “deemed” an export to the foreign national’s country of most-recent citizenship or permanent residency under 15 C.F.R. §734.13(b). Neuroscale therefore:- Tracks the citizenship and immigration status of all employees and contractors with access to controlled technology, in coordination with HR and the General Counsel.
- Restricts access to controlled, license-required technology by foreign nationals from countries requiring a license, except under an authorized license or license exception, via access controls per the Access Control Policy.
- Maintains, where required, a technology control plan (TCP) for any restricted person with a need to access controlled technology.
License determinations
Where a transaction may require a BIS export license — based on item classification, destination, end-user, or end-use (including the catch-all controls of 15 C.F.R. Part 744 for WMD, military, military-intelligence, or restricted national-security end-uses) — the General Counsel makes the license determination, in consultation with outside trade-compliance counsel as needed, before the export occurs.AI-specific export controls
BIS has issued and updated rules controlling certain advanced AI compute, AI semiconductors, and AI model weights, including the “Framework for Artificial Intelligence Diffusion” rule and predecessor rules under 15 C.F.R. Parts 742, 744, and 746. Key provisions that may affect Neuroscale:- Controls on the export of trained AI model weights for models exceeding specified compute thresholds.
- End-use and end-user restrictions on advanced AI compute resources.
- Restrictions on providing access to U.S.-origin advanced AI to certain destinations.
Reviewed against BIS rule version: <date> line. The General Counsel reconfirms the matrix entry against the then-current BIS rule version (a) on each material Neuroscale model release, (b) on each BIS rule update or successor Executive Order, and (c) at the annual policy-review cycle. Reconfirmation is recorded by updating the “Last reviewed” line in the matrix and, for material changes, by amending this policy.
E.O. 14117 — Bulk sensitive personal data and government-related data
Executive Order 14117 (Feb. 28, 2024), as implemented by the Department of Justice’s Final Rule at 28 C.F.R. Part 202 (eff. April 8, 2025), prohibits or restricts certain transactions that would result in access by countries of concern (currently China, Russia, Iran, North Korea, Cuba, and Venezuela), or by covered persons (entities or individuals on a published list, or with specified ownership or employment relationships), to bulk U.S. sensitive personal data (including Personal Identifiers, geolocation, biometrics, health data, financial data, and “human ‘omic” data) and U.S. Government-related data. Neuroscale-side controls:- US-only training compute and storage. All training-corpus admission, deidentification, and training compute for Neuroscale-built or Neuroscale-fine-tuned AI models occurs in US regions of AWS and Vultr; no Neuroscale-trained model artifact, training corpus, or Deidentified Data is replicated to a non-US region or to a covered-person operated facility.
- Foreign-national access to training infrastructure. Foreign-national access to systems that hold Customer Content, Deidentified Data, training corpora, model weights, or audit evidence is reviewed under the Foreign-national-employees and Deemed-export-rules sections of this policy. Citizens or permanent residents of countries of concern do not receive such access without a DOJ Part 202 analysis and General-Counsel approval.
- Vendor and sub-processor screening. AI-relevant sub-processors are screened against the covered-person rules at onboarding and on each contract renewal; vendors meeting the covered-person definition are excluded.
- Threshold awareness. The Part 202 bulk-data thresholds (e.g., 100,000+ U.S. persons for personal identifiers) are tracked by the General Counsel; Neuroscale’s training-corpus volume metrics in the AI Training-Data Transparency Notice and the AI Model Registry feed this analysis.
Section 889 — prohibited covered telecommunications equipment and services
Section 889 of the FY 2019 National Defense Authorization Act (Public Law 115-232) and FAR 52.204-25 prohibit the use of covered telecommunications equipment and services from named entities — Huawei Technologies Co., ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Co., Dahua Technology Co., Kaspersky Lab, and certain affiliates and successors — in any system used by, or that provides services to, a federal agency. Neuroscale-side controls:- No prohibited equipment in the production stack. Neuroscale does not procure, integrate, or rely on covered telecommunications equipment or services within the meaning of FAR 52.204-25 in any production system, including AWS, Vultr, Cloudflare, Better Stack, HashiCorp Vault, Rippling, GitHub, or any other vendor enumerated in the Vendor Inventory and Sub-processor List.
- Vendor onboarding screen. Section 889 compliance is a due-diligence criterion in the Vendor Risk Assessment for any new cloud, compute, network, security, or surveillance-adjacent vendor; Section 889 attestations are recorded against the vendor entry.
- Federal-customer attestation. Where a Customer is a federal agency or a federal contractor subject to FAR 52.204-25 (including the Air Force), Neuroscale provides a Section 889 attestation on request, signed by the General Counsel, confirming that Neuroscale’s services do not “use” covered telecommunications equipment or services within the meaning of the FAR.
OFCCP — affirmative-action and recordkeeping (federal contractors)
Where a Neuroscale Customer is a covered federal contractor or subcontractor under 41 C.F.R. Part 60 (including, without limitation, the U.S. Air Force and other Department of Defense components), the Customer’s use of Neuroscale features in recruiting, sourcing, screening, ranking, or other employment decisions may trigger affirmative-action and recordkeeping obligations enforced by the Office of Federal Contract Compliance Programs. Neuroscale-side controls:- Customer cooperation. Where a Customer represents that it is OFCCP-covered, Neuroscale will, on reasonable request and under NDA, provide feature-level documentation, bias-audit summaries, and Customer-side data extracts sufficient for the Customer’s OFCCP recordkeeping per 41 C.F.R. §60-1.12 and analogous DoD regulations.
- Cooperation letter on audit. The General Counsel responds to OFCCP audit inquiries directed to Neuroscale by a Customer with a cooperation letter or, where Neuroscale is brought within OFCCP scope by the contract, by participating directly in the audit.
- Re-confirmation of Neuroscale’s own contractor status. The General Counsel re-confirms annually whether any direct contract between Neuroscale and a federal agency causes Neuroscale itself to become a covered federal contractor under 41 C.F.R. Part 60; if so, Neuroscale stands up affirmative-action plan documentation per Part 60-2.
ITAR
The International Traffic in Arms Regulations (22 C.F.R. Parts 120–130) regulate “defense articles” and “defense services” listed on the U.S. Munitions List. As of the effective date of this policy, Neuroscale does not develop, supply, or perform services for defense articles or defense services as defined under the ITAR; no Neuroscale product is on the U.S. Munitions List, no Neuroscale engagement is for a “defense service,” and Neuroscale is not registered with the Directorate of Defense Trade Controls (DDTC). The General Counsel reviews this determination at the annual policy review and on any material change in Neuroscale’s customer base or product surface. If at any point Neuroscale is asked to provide services or technology that may fall within the ITAR — including any government, military, or defense-contractor engagement, any item moved from the EAR to the USML, or any item that supports a defense article — the General Counsel must be engaged before contract signature; an ITAR registration with DDTC, a technology control plan (TCP), and possibly a license or agreement (TAA / MLA) may be required before any controlled activity occurs.Foreign-national employees
- Visa and immigration status is collected at hire by HR and tracked confidentially.
- Where a foreign-national employee or contractor will have access to technology that is controlled for export to their country of citizenship or permanent residency, the General Counsel reviews and, where required, applies for a deemed-export license or implements a Access Control Policy and TCP-based mitigation prior to access.
- Citizenship and national-origin information is used solely for export-compliance and lawful-employment-verification purposes and is protected per the Human Resources Security Policy.
Restricted-party screening
Restricted-party screening is performed:- Before onboarding any new customer, vendor, partner, or distributor.
- Before processing new orders, renewals, or material expansions.
- On a continuing basis as restricted-party lists are updated (typically daily).
- On payments to or from new payees by Finance.
api.trade.gov) and the published EU FSF and UK OFSI consolidated lists; the service is integrated at vendor and customer onboarding and is invoked automatically for re-screening on each list update.
Hits are triaged by the General Counsel. The activity is paused until the hit is resolved (false-positive cleared, license obtained, or the engagement declined).
Anti-boycott (EAR Part 760)
Under 15 C.F.R. Part 760 and Section 999 of the Internal Revenue Code, U.S. persons are prohibited from participating in or cooperating with unsanctioned foreign boycotts (most commonly the Arab League boycott of Israel) and are required to report receipt of certain boycott-related requests. If any Neuroscale employee receives a request — in a tender, contract, letter of credit, questionnaire, or otherwise — that asks Neuroscale to:- Refuse to do business with Israel or Israeli persons, or with blacklisted persons;
- Discriminate on the basis of race, religion, sex, national origin, or nationality;
- Furnish information about race, religion, sex, or national origin of any person;
- Furnish information about business relationships with Israel or with blacklisted persons; or
- Provide a letter of credit containing prohibited boycott terms,
Reporting suspected violations
Suspected violations — by Neuroscale, by a counterparty, or by an employee — must be reported immediately to the General Counsel and the CFO. Reports may also be made via the channels in the Code of Conduct, including anonymously. Neuroscale prohibits retaliation against any person who in good faith reports a suspected violation. The General Counsel evaluates whether a voluntary self-disclosure to OFAC, BIS, or another regulator is warranted. Voluntary self-disclosures are made only with General Counsel approval and, where appropriate, outside-counsel involvement.Recordkeeping
Records of restricted-party screening, classification determinations, license applications and approvals, deemed-export reviews, anti-boycott reports, encryption registrations and reports, and trade-compliance training are retained for at least five (5) years from the date of the export or transaction (or longer as required by 15 C.F.R. Part 762, 31 C.F.R. §501.601, or applicable contract). Records are stored per the Data Management Policy and the Data Retention Matrix.Training
Trade-compliance training is delivered via Vanta:- At hire to all employees as part of Onboarding; a baseline awareness module.
- At least annually to all personnel handling sales, vendor onboarding, customer success, engineering with access to controlled technology, legal, and finance; a role-specific module covering sanctions screening, classification, deemed-export rules, and anti-boycott.
- Ad-hoc when there is a material regulatory change (e.g., a new sanctions program or BIS AI rule).
Governance
- Policy Owner: General Counsel.
- Co-signers: CFO and CISO.
- Annual review: This policy is reviewed at least annually. The General Counsel updates the program, and this policy, on any material change in applicable law (new Executive Orders, BIS rule changes, OFAC program changes).
Exceptions
Exceptions to this policy are not permitted where they would require Neuroscale to violate applicable law. Operational exceptions (e.g., timing, scope of screening) require written General Counsel approval and are documented.Violations & enforcement
Trade-compliance violations may result in significant civil and criminal penalties for Neuroscale and for individual employees. Violations of this policy may result in disciplinary action up to and including termination, and Neuroscale may report individual misconduct to law enforcement and to relevant regulators. Report violations to the General Counsel.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |