Owner: CHRO, with General Counsel
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.) and state/local fair-chance laws; SOC 2 CC1.1 / CC1.4. Implements the Human Resources Security Policy.
Effective Date: May 8, 2026
Reviewed: Annually
Frameworks: Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.) and state/local fair-chance laws; SOC 2 CC1.1 / CC1.4. Implements the Human Resources Security Policy.
Scope
- All candidates for employment (full-time, part-time, intern) and contractors who will receive Neuroscale-issued credentials, devices, or access to Confidential data — regardless of country of residence. US candidates are screened against the tier-appropriate Checkr core package; non-US candidates are screened against the same core package plus the Checkr International Professional add-on per §“International workforce” below.
- Re-screens of existing employees triggered by role changes into security-sensitive positions or by periodic re-screen requirements for high-trust roles.
- Out of scope: customer or vendor-side due diligence (covered by Vendor Risk Assessment).
Roles
| Role | Responsibility |
|---|---|
| CHRO | Procedure owner; final approval of adverse-action decisions affecting hiring outcomes. |
| General Counsel | Reviews adverse-action letters, state-specific notices, and any candidate disputes. |
| People Operations (today: CHRO; see Roles & Personnel alias map) | Day-to-day operation: orders the report, sends notices, tracks waiting periods. |
| CISO | Defines which roles are “security-sensitive” and require enhanced or periodic re-screening. |
| Hiring Manager | Receives the disposition (clear / review / no-hire) but never the underlying report content. |
CRA — Checkr
Neuroscale uses Checkr as its Consumer Reporting Agency. The Master Services Agreement and Data Processing Addendum on file include:- A written certification of permissible purpose under 15 U.S.C. § 1681b(b)(1) — Neuroscale certifies, before each report is ordered, that the report will be used for employment purposes only, that all required disclosures have been made, that consent has been obtained, and that the report will not be used in violation of any federal or state equal-employment-opportunity law.
- Compliance attestations covering FCRA, the California Investigative Consumer Reporting Agencies Act (ICRAA), the New York City Fair Chance Act, Illinois HB 3994, and the Massachusetts CORI law.
- Data-handling commitments aligned with the Data Management Policy.
Pre-hire process
1. Job ad & application — ban-the-box compliance
- Job ads must not state or imply that applicants with criminal histories will not be considered, except where a specific role is barred by law (e.g., positions with regulated access).
- The employment application must not contain any question about criminal history.
- New York City roles: the job ad includes the NYC Fair Chance Act notice that Neuroscale will not consider criminal history until after a conditional offer of employment.
- Interviewers are trained not to ask about criminal history during the interview process.
2. Conditional offer
A background check is initiated only after a conditional offer of employment has been extended in writing.3. Disclosure & authorization
CHRO, via Checkr, sends the candidate two distinct documents:- A stand-alone disclosure stating that a consumer report (and, where applicable, an investigative consumer report) may be obtained for employment purposes. Per 15 U.S.C. § 1681b(b)(2)(A)(i) and binding case law (Syed v. M-I, LLC), the disclosure is a clear and conspicuous, stand-alone document — not embedded in the employment application or combined with liability waivers.
- A separate written authorization form signed by the candidate. See the Background-Check Consent template.
- A Summary of Your Rights Under the FCRA (CFPB-prescribed form).
- State-specific notices required by the candidate’s state of residence and intended work location, including (non-exhaustive):
- California (ICRAA): Notice that the candidate may request a copy of any investigative consumer report; the seven-year cap on reportable convictions per Cal. Civ. Code § 1786.18; investigative-consumer-reports notice.
- New York City (Fair Chance Act): Notice that criminal history will be reviewed only after a conditional offer.
- Massachusetts (CORI): Acknowledgement form for any CORI request and the standard CORI notice.
- Illinois (HB 3994 / Job Opportunities for Qualified Applicants Act, as amended): Notice that conviction records will be considered only after a conditional offer.
- Washington, Minnesota, New Jersey, Connecticut, Colorado, and other ban-the-box jurisdictions: Equivalent notices as required.
4. Order
CHRO files the Background Check intake form — which captures the role tier (per §“Background-check tiers” below), the candidate’s residence and work-location, and the package selection — and, once authorization is captured in Checkr, orders the appropriate Checkr package and add-ons for that tier.Background-check tiers
Neuroscale runs a minimum-viable screening program: each tier carries the smallest Checkr build that satisfies SOC 2 §CC1.1 / CC1.4 (“proportional screening, documented and consistently applied”) and ISO/IEC 27001 A.6.1 (“proportional to business requirements and information classification”). Optional add-ons (employment verification, education verification, continuous monitoring, credit, civil, professional license) are layered onto a candidate’s screen only when a specific customer contract or regulatory regime requires them — see §“Optional add-ons” below. The CISO assigns the tier at the time the requisition is opened and the CHRO confirms at offer. Roles that straddle production access and fiduciary authority (CTO, CISO, GC, CHRO) are screened at T2; the T3 designation does not currently add screening components — it is preserved as a label for fiduciary-role tracking and will pick up additional searches only when a customer contract or regulatory event triggers them.| Tier | Population | Checkr build | Approx. per-check cost | Why |
|---|---|---|---|---|
| T1 — Baseline | Every US employee or contractor whose access tops out at Restricted-class data (Microsoft 365, Slack, Linear, GitHub read on this docs repo, Vanta). Roles: sales, marketing, customer success, recruiters, ops, non-engineering contractors with credentials. | Checkr Essential package + Identity Verification + Assess Standard adjudication | ~$62 | SSN trace, sex-offender registry, global watchlist, national criminal, unlimited county criminal — proportional to Restricted-data access without over-screening for non-job-related history. Identity verification proves the person being screened matches the person being hired. Assess Standard provides matrix-based, repeatable adjudication that is straightforward to defend in audit. |
| T2 — Production / Confidential access | Anyone with access to AWS Identity Center, Vultr, HashiCorp Vault, KMS / secrets-manager consoles, production databases, or customer-data-bearing tools. Roles: software engineers, SREs, IT, security staff, support engineers with prod-debug access, production-data-handling product managers. | Checkr Complete package + Identity Verification + Assess Standard adjudication | ~$97 | Complete adds federal criminal + unlimited state criminal on top of Essential — appropriate for Confidential-class access where federal crimes (wire fraud, computer fraud, ITAR / EAR violations) are most relevant. |
| T3 — Finance, executive, fiduciary | Anyone with wire-transfer, banking, contracting, or check-signing authority; named officers. Roles: CFO, CEO, anyone holding power-of-attorney signing authority. CTO, CISO, General Counsel, and CHRO screen at T2 because their production access is the higher-risk surface; their fiduciary authority is tracked here but adds no extra searches under the baseline program. | Same as T2 — Complete + Identity Verification + Assess Standard | ~$97 | The fiduciary-specific add-ons (credit, civil, professional license) are deferred to §“Optional add-ons” — added only when a customer contract or regulatory regime requires them. The T2 criminal floor is sufficient to satisfy SOC 2 / ISO 27001 for the fiduciary population at Neuroscale’s current scale. |
| International | Any worker resident or recruited outside the United States. Layered on top of T1 / T2 / T3 according to the worker’s access — i.e., a non-US engineer with production access is T2 + International, not “International instead of T2.” | Tier-equivalent Checkr core (Essential for T1 / Complete for T2-T3) plus Checkr International Professional for the country of residence | ~$150-200 | International packages cover non-US criminal records and identity-verification sources that the US-only core packages do not reach. The list of countries in which Neuroscale currently employs staff — and the corresponding country-specific check components that Checkr supports — is maintained by the CHRO in §“International workforce” below. |
Optional add-ons — added only on customer-contract or regulatory trigger
The add-ons below are not part of the baseline tier builds. The CHRO + General Counsel evaluate the trigger and, where added, document the basis on the candidate’s record so the auditor can see why the optional search was run for that particular hire.| Add-on | When Neuroscale adds it | Cost |
|---|---|---|
| Employment Verification | A customer contract or regulatory regime requires verification of stated work history for production-access roles; or the hiring manager identifies a specific verification need (executive hire, role where a single prior-employer experience is material to the offer). | $12.50+ |
| Education Verification | A customer contract requires it; or the role’s claimed credential is part of the hire decision (regulated professional roles). | $12.50+ |
| Continuous Criminal Monitoring | A customer contract requires ongoing-monitoring evidence (some enterprise / regulated customers do); or a Severity 1 personnel-related incident motivates a tighter standing control across the T2 / T3 population. | $1.70/person/month |
| Credit Report | A customer contract specifically requires a credit component for fiduciary roles; or a state regulator imposes the requirement on a specific role. Not added by default — credit is restricted or prohibited for general employment use in CA, CO, CT, DE, DC, HI, IL, MD, NV, NY, NYC, OR, VT, and WA, and the customer-asked exemption basis must be documented per-state on the candidate notice and the §“Individualized assessment” record. GC sign-off is required before any credit add-on is ordered. | $8+ |
| Federal Civil + County Civil | A customer contract requires it; or the role-specific risk assessment surfaces a specific judgment-disclosure concern. | 40 per county |
| Professional License Verification | The role’s claimed license is part of the hire decision (e.g., GC’s bar admission, CPA for a finance role where licensure is required). | $12 |
Add-ons explicitly out of scope today
- MVR / Driving Records. Not applicable — Neuroscale does not require driving on company business. Add only if a role drives.
- Drug screening. Not required by federal law for any Neuroscale role; state marijuana protections in NY, NJ, CA, CT, MT, IL, WA, OR, MN, MI, RI, NV, and DC make routine drug screening a net liability for non-safety-sensitive roles. Add only if a specific customer contract demands it; if added, CHRO and GC review the contract clause and document the basis on the candidate notice.
- DOT / Clearinghouse. N/A — Neuroscale is not a DOT-regulated employer.
- Fingerprint / FBI Identity History Summary. N/A unless Neuroscale enters a regulated channel (FedRAMP High, law-enforcement customer) that requires it.
Adjudication policy
The Assess Standard adjudication engine applies the Neuroscale Adjudication Matrix — a written rule-set maintained by the CHRO and General Counsel — to every report. The matrix translates raw findings into one ofClear / Review / Engaged per the §“Adjudication” rules below. Updates to the matrix are reviewed by the General Counsel before activation and recorded in the SOC 2 / ISO 27001 evidence library.
International workforce
For workers resident or recruited outside the United States, the tier-appropriate core package is run together with Checkr International Professional for the worker’s country of residence (and country of citizenship where different). International Professional covers, in the jurisdictions where Checkr supports it, non-US criminal-record sources, sanctions / PEP screening, identity verification against country-issued identity documents, and education / employment verification when those add-ons are included on the engagement. Country-specific coverage differs by jurisdiction — some countries return criminal records on a national basis (UK, Ireland), some only on a regional or court-level basis (Germany, India), and some restrict employer access to criminal records entirely (France, Belgium). The CHRO maintains the country coverage table below — a row per country in which Neuroscale currently employs staff, the Checkr-supported components for that country, and any country-specific notice / consent variation that the candidate-disclosure flow needs to apply.| Country | Checkr-supported components | Country-specific consent / notice notes |
|---|---|---|
| Brazil | Identity verification (CPF + RG); Atestado de Antecedentes Criminais (Federal Police criminal-record certificate) where the role meets the §“role-justified” test below; employment verification (optional, when triggered); education verification via MEC / institution; global watchlist / PEP / sanctions. | LGPD Art. 7 / Art. 11 apply — criminal records are sensitive personal data. TST Súmula 51 limits criminal-record use to roles where it is specifically justified by the function (financial trust, child contact, safety-sensitive). General Counsel reviews each Brazil-based role before the criminal portion is ordered and records the role-justification on the candidate file; for engineering / production-access roles, justification is typically grounded in fiduciary access to Confidential customer data and to production systems, which is consistent with the TST exception for “specific need” — but the basis is documented per role, not assumed. Candidate notice + consent is provided in Portuguese with the LGPD-required transparency disclosures (controller identity, processing purpose, legal basis, retention, data-subject rights, DPO contact). |
| India | Identity verification via PAN + passport (Aadhaar excluded — see notes); court-record search at the state / district level for jurisdictions where the candidate has resided or worked in the trailing 7 years; Police Clearance Certificate (PCC) from the candidate’s current place of residence; employment verification (optional, when triggered); education verification via UGC / AICTE / the issuing institution; global watchlist / PEP / sanctions. | DPDP Act 2023 (lawful basis under §7 and consent flow under §6 / §11); IT Act §43A + SPDI Rules 2011 for sensitive personal data. Aadhaar must not be used as the primary identity verifier for private-sector employment screening under the Aadhaar Act 2016 and the Puttaswamy / Aadhaar Supreme Court judgments; Checkr’s India identity flow uses PAN + passport. Candidate notice + consent is provided in English (acceptable for white-collar employment under the Industrial Employment (Standing Orders) Act and related state shops-and-establishments acts) with DPDP-required notices. |
| Future countries | To be populated by CHRO as Neuroscale enters new countries. |
- EU / EEA / UK: GDPR / UK GDPR Article 6 (lawful basis), Article 9 (special-category data — criminal-history data is treated as Article 10 / special-category in many member states), Article 88 (workforce derogations), country-specific employer-screening statutes (Germany BDSG §26, France Code du travail Art. L1221-6 ff.).
- Canada: PIPEDA Principle 4 (limiting collection); provincial human-rights law on criminal-record use (e.g., Ontario Human Rights Code).
- Brazil: LGPD Art. 7 / Art. 11 (sensitive personal data), Súmula 51 of the Tribunal Superior do Trabalho (TST) limiting criminal-history use to specific roles (see Brazil row above).
- India: DPDP Act 2023, IT Act SPDI Rules, Aadhaar usage restrictions (see India row above).
- Other jurisdictions: evaluated on entry.
Contractor and third-party screening
Contractors fall into five operational sub-categories. Each is screened — or relied on as already-screened — through the path below. The “or required to provide evidence of an acceptable background” clause in the Human Resources Security Policy → Screening is the umbrella that authorizes the reliance-letter pattern in sub-categories 2–4.| Sub-category | Description | Screening path | Tier mapping |
|---|---|---|---|
| 1. Individual / 1099 contractor | A directly-engaged contractor — sole proprietor, freelance engineer, fractional executive — who receives Neuroscale-issued credentials, a Neuroscale device, or access to Confidential data, with no intermediary staffing agency. | Neuroscale orders a tier-appropriate Checkr screen at the same tier as an equivalent employee. Treated like an employee for screening purposes — same disclosure, authorization, adjudication, and adverse-action machinery. | T1 / T2 / T3 per the role’s access. |
| 2. Staffing-agency contractor | A contractor sourced through a staffing agency, contract-recruiting firm, or talent platform (Toptal, Andela, etc.). The agency is the W-2 employer-of-record and runs its own pre-placement screen. | Neuroscale relies on the agency’s pre-placement screen via a written reliance letter signed by the agency attesting that (a) the screen was performed within the trailing 2 years, (b) the components covered meet or exceed Neuroscale’s tier requirements, and (c) the contractor was cleared. Neuroscale does not request or retain the underlying report. If the agency cannot attest, Neuroscale orders a tier-appropriate Checkr screen as if the contractor were sub-category 1. | T1 / T2 / T3 per the role’s access; the agency must attest the screen meets that tier’s requirements. |
| 3. Vendor-employed personnel with temporary access | An employee of a Neuroscale vendor who receives temporary access to Neuroscale systems for support, integration, or incident purposes — e.g., AWS Technical Account Manager, Vultr support engineer with break-glass access, SaaS-vendor support engineer triaging a P1, Snyk customer-success engineer with read-only repo access. | Neuroscale relies on the vendor’s personnel-screening program via the vendor’s SOC 2 / ISO 27001 narrative coverage of personnel screening, surfaced in the Vendor Annual Review Note required by Vendor Risk Assessment → Annual re-review — evidence format. Neuroscale does not separately screen these individuals. Access is time-bounded and revoked when the support engagement ends. | N/A — vendor’s own program governs. |
| 4. Professional-services contractor under engagement letter | A firm engaged by Neuroscale to deliver a defined scope of work — penetration tester, external auditor, outside counsel, technical consultant — whose personnel may receive scoped Neuroscale credentials for the duration of the engagement. | Neuroscale relies on the firm’s personnel-screening program via (a) a clause in the engagement letter requiring the firm to attest that personnel assigned to Neuroscale have been screened to the firm’s standard practice; and (b) the firm’s SOC 2 / ISO 27001 or AICPA / bar / equivalent attestation surfaced in the firm’s Vendor Inventory entry. | N/A — firm’s own program governs. |
| 5. Office contractor (no logical access) | Cleaning, building maintenance, package delivery, food service, in-office event support — anyone whose presence on Neuroscale premises does not include credentials, devices, or logical access to Restricted-or-higher data. | No screening required by Neuroscale. Physical-security controls in the Physical Security Policy (visitor escort, badge-only access, after-hours cleaning supervision) govern. Where the building landlord, third-party facilities provider, or vendor’s own program screens these workers, that is for the landlord / vendor to attest, not Neuroscale. | Out of scope. |
FCRA joint-user caveat (sub-categories 2 – 4)
Under the Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.), the “user” of a consumer report is the party that obtains and acts on that report. When Neuroscale runs its own Checkr screen (sub-categories 1 and the international EOR-direct alternative), Neuroscale is the FCRA user and the procedure’s disclosure / authorization / adverse-action machinery applies in full. When Neuroscale relies on a third party’s screen (sub-categories 2 – 4), Neuroscale is not the FCRA user — the staffing agency, vendor, or professional-services firm is. To preserve that separation:- The reliance letter or engagement-letter clause states that the screen was performed and met Neuroscale’s tier requirements. It does not include a copy of the underlying consumer report.
- Neuroscale does not request, store, or forward the underlying report.
- If a candidate or contractor disputes a finding, Neuroscale directs the dispute back to the agency / vendor / firm — Neuroscale does not adjudicate the underlying report.
Reliance-letter template
A reliance letter retained for sub-categories 2 – 4 attests, at minimum:- The screening firm’s name and address.
- The candidate / contractor’s name and the engagement identifier.
- The components of the screen performed (criminal at what level, identity verification, etc.).
- The date the screen was completed (must be within the trailing 2 years).
- Confirmation that the screen met or exceeded the tier-appropriate components in this procedure’s §“Background-check tiers” table.
- The firm’s authorized signatory and signature date.
Adjudication
Checkr returns the report to the CHRO review queue. Reports are matrix-adjudicated against role-specific criteria approved by the CHRO and General Counsel:- Clear — no records or only records that do not meet review criteria; hiring proceeds.
- Review — record matches a review criterion; triggers an individualized assessment as described below.
- Engaged — candidate self-disclosure or dispute in progress.
Individualized assessment
Where a record meets a review criterion, CHRO and the General Counsel conduct an individualized assessment considering the nature and gravity of the offense, the time elapsed, the nature of the position, and any evidence of rehabilitation, consistent with EEOC guidance and applicable state/city fair-chance laws.Pre-adverse action
If the individualized assessment indicates Neuroscale is likely to make an adverse decision in whole or in part based on the report, CHRO sends the candidate a pre-adverse-action notice containing:- A copy of the consumer report.
- A current copy of the Summary of Your Rights Under the FCRA.
- Any state- or city-specific notices required (e.g., the NYC Fair Chance Act Notice, including the position-specific Article 23-A analysis form).
- A clear statement of which item(s) in the report are at issue.
- Instructions on how to dispute the accuracy or completeness of the report directly with Checkr.
Final adverse action
If, after the waiting period, the decision remains adverse, CHRO sends a final adverse-action notice that includes, per 15 U.S.C. § 1681m(a):- The name, address, and toll-free telephone number of the CRA (Checkr) that furnished the report.
- A statement that the CRA did not make the adverse decision and is unable to provide the specific reasons why the decision was made.
- A statement of the candidate’s right to obtain a free copy of the report from the CRA within 60 days.
- A statement of the candidate’s right to dispute the accuracy or completeness of any information in the report directly with the CRA.
- All applicable state- and city-specific adverse-action notices (e.g., the NYC Fair Chance Act final determination, California ICRAA notice).
Records retention
Records of every step of this procedure — disclosure and authorization forms, the report itself, the individualized assessment, the pre-adverse and final adverse notices, and any candidate correspondence — are retained per the Records Retention Schedule.- Adverse-action records: retained for 5 years from the date of the adverse action.
- Consent and disclosure forms (cleared candidates): retained for the duration of employment plus 5 years (or as required by state law).
- All records are stored in the CHRO folder of SharePoint with access restricted to the CHRO, People Operations support staff, and the General Counsel.
Re-screening
Re-screening of currently-cleared workers operates on two layers:- Triggered re-screen. A full new report at the new tier is ordered when (a) an existing employee or contractor moves into a higher tier (T1 → T2 or T1 → T3); or (b) a specific event (reported misconduct triggering a fitness-for-duty review) is approved by the CHRO and General Counsel.
- Periodic re-screen. Every 3 years for T2 and T3 roles.
Cross-references
- Human Resources Security Policy
- Background-Check Consent template
- Adverse-Action Letter template
- Records Retention Schedule
- Onboarding
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |