Scope
- Security incidents that may affect customers or trigger regulatory notification.
- Service-availability incidents meeting an SLA-affecting threshold.
- Breach determinations under the FCRA, US state breach-notification laws, GDPR, or contractual breach-notification clauses.
- Press, analyst, and social-media inquiries arising from any of the above.
Triggers
| Trigger | Action |
|---|---|
| P0 / P1 incident affecting customers | Open the comms workstream in parallel with the IRT. |
| Breach determination (PII, customer Confidential data) | Engage General Counsel; begin drafting customer/regulator notifications. |
| Service degradation meeting an SLA threshold | Update status page; consider direct notice to affected customers. |
| Regulatory notification timeline triggered | Drafted by Legal under privilege; see Breach notification timing matrix. |
| Inbound media or analyst inquiry | Route to CEO / designated spokesperson per “PR / media” below. |
Roles
| Role | Responsibility |
|---|---|
| CTO | Procedure owner; runs the customer-comms workstream during an incident. |
| General Counsel | Reviews every external draft for legal and privilege concerns; approves regulatory notifications. |
| CISO | Approves any technical detail; signs off on facts before they go out. |
| CEO | Sole authorized public spokesperson; signs material communications. |
| PR / Communications | Drafts press statements, prepares Q&A, and monitors media. |
| Customer Success Managers (CSMs) | Deliver high-touch comms to named-contact accounts. |
Approval chain
- Draft — Customer Success or PR (under General Counsel direction during a breach) drafts the initial communication.
- Review — CISO confirms factual accuracy of any technical content. General Counsel reviews for legal positioning, privilege, and regulatory adequacy.
- Approve — CEO signs off on material communications (defined as: any communication that admits a breach, that goes to >1 customer, that is publicly posted, or that is sent to a regulator).
- Send — Customer Success or PR sends through the appropriate channels.
Templates
Approved customer-comms templates (initial notification, status update, post-mortem, regulatory notice) are maintained at Templates → Customer Communications Templates. Use the template as the starting point; tailor with incident-specific facts approved by the CISO.Channels
| Channel | Use |
|---|---|
| Status page at status.neuroscale.ai | All availability incidents and any incident with broad customer impact. |
| Email to customer admin contacts on file | Default for notifications, breach notices, and post-mortems. |
| In-product banner | Used when in-product behavior is affected and the user must be informed at point of use. |
| Customer-named contact (CSM call/email) | High-touch accounts, accounts with named-contact contractual notice provisions, and regulated customers. |
| Phone / video | Reserved for major-account escalations at the discretion of the CEO or CTO. |
Timing
- Default contractual customer-notification SLA: Per the customer’s MSA / DPA. Where unspecified, Neuroscale’s default commitment is within 72 hours of confirmation of an incident affecting that customer.
- GDPR processor notice to controller: without undue delay (Art. 33(2) GDPR).
- US state breach-notification laws: as required by the state of residence of affected individuals — see the Breach notification timing matrix.
- Status-page acknowledgement of an active P0 / P1: within 15 minutes of incident declaration; updates at least every 30 minutes until resolution.
PR / media
- Only the CEO or a designated spokesperson speaks publicly about a Neuroscale incident.
- All employees direct inbound press inquiries to press@neuroscale.ai without comment. Do not say “no comment”; use the standard hand-off line in the comms template library.
- Social-media accounts (corporate and personal-with-Neuroscale-affiliation) post nothing about an active incident until the all-clear is given by the CEO and General Counsel.
- Analyst calls about an incident are scheduled by PR with the CEO, with General Counsel and CISO present.
”Do not say” guidance
The following are prohibited until specifically authorized in writing by General Counsel:- No admission of fault before facts are confirmed and an approved messaging line exists.
- No speculation about cause, impact, attribution, or attacker identity.
- No naming of individuals as responsible — internal personnel, third parties, or attackers.
- No firm timelines for restoration or remediation that have not been confirmed by Engineering.
- No use of the words “breach,” “compromise,” or “exposure” in customer-facing or public communications until General Counsel has confirmed the legal characterization. Use neutral phrasing approved in the template library.
Privilege
- All draft, deliberative, and investigative communications about an active incident are marked “Privileged & Confidential — Prepared at the Direction of Counsel” and routed through the Incident Response → Documentation workflow.
- Working channels are the dedicated incident channels with restricted membership. Avoid carrying privileged discussion into general Slack channels.
- External-vendor communications relevant to the investigation are routed through outside counsel where retained.
Records
The following are retained for 6 years in the SharePoint incident-records library, tagged to the incident:- All drafts (each version), approvals, and the final-sent version of every external communication.
- Status-page event log and timestamps.
- Regulatory-notification submissions and acknowledgements.
- Press-inquiry log and any statements issued.
- Customer-acknowledgement receipts and any follow-up correspondence.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |