Scope
Applies to any export of customer-owned data from the Neuroscale production environment. It does not govern internal analytical extracts, which are handled under the Data Management Policy.Triggers
| Trigger | Notes |
|---|---|
| Customer self-service request (“export-as-a-service”) | Initiated by an authorized customer admin in-product. |
| Contract termination or non-renewal | Default obligation: return + delete within the window in the customer’s MSA / DPA (see “Retention after export” below). |
| Legal hold | Triggers preservation extract; export is held under General Counsel direction and is not auto-deleted. |
| Data Subject Rights (DSR) request — access or portability | Forwarded to the customer (the controller) for individual-record exports; bulk exports follow this procedure. |
| Migration to a new tenant or environment | Treated as a customer-initiated export. |
Roles
| Role | Responsibility |
|---|---|
| CTO | Procedure owner; approves any export of >1 TB or any export requiring a non-standard format. |
| Customer Success (CSM; today operationally: CTO — see Roles & Personnel alias map) | Customer-facing point of contact; verifies requester authority; signs the receipt of delivery. |
| CISO | Approves cryptographic controls, key handling, and BYOK arrangements; reviews any deviation. |
| Engineering on-call | Executes the extraction from production systems. |
| General Counsel | Reviews exports tied to terminations, legal holds, or regulatory requests. |
Intake
Customer-initiated exports (other than in-product self-service) are submitted via the Customer Data Export intake form, which files into the engineering Linear queue and triggers the verification steps below.Authentication & authorization
Before any export job is initiated:- The request must originate from an authorized customer administrator as named in the customer’s account or contract.
- The requester is verified via two channels: Rippling authentication on the customer-facing portal, plus a secondary out-of-band confirmation (a phone callback to the named contact on file, or a Docusigned export-authorization form for terminations).
- The verification record (timestamps, channel, person spoken to) is attached to the Linear ticket.
Extraction
- Engineering on-call opens an export task in Linear, linked to the customer’s account.
- The data is extracted from the primary production database — AWS RDS / Aurora for AWS-hosted workloads, Vultr-hosted Postgres for Vultr-hosted workloads — using read replicas where available to avoid load on the primary. Extraction tooling is the standard internal export job; ad-hoc SQL exports are not permitted.
- The extract is consolidated and staged in a dedicated, customer-scoped AWS S3 prefix encrypted with AWS KMS customer-managed keys (or the customer’s BYOK key — see below). AWS S3 is the canonical export-staging surface across both clouds; Vultr-resident customer data is moved into the AWS S3 staging area for consistent key custody, manifest generation, and pre-signed-URL delivery.
- Engineering generates a SHA-256 manifest of every object in the extract.
Formats
| Format | Use |
|---|---|
| JSON Lines | Default for transactional and document-shaped data. |
| CSV | Tabular exports for analytics workflows. |
| Parquet | Large datasets, or where the receiving system is a data warehouse. |
| Customer-specific format | On request, with CTO approval and a written scope statement. |
Encryption
- At rest (staging): AES-256 via AWS KMS. Each export uses a dedicated key.
- In transit: TLS 1.3 only. Pre-signed S3 URLs use the AWS SigV4 scheme over HTTPS.
- BYOK: If the customer has a Bring-Your-Own-Key arrangement, the export is encrypted under the customer’s KMS key (cross-account grant) before staging. Key handling follows the Cryptography Policy.
- End-to-end: For high-sensitivity exports, the archive is additionally encrypted with a passphrase (PGP or zip-AES), with the passphrase delivered out-of-band.
Transfer mechanism
The transfer mechanism is the one specified in the customer’s DPA, or — if unspecified — selected by the CTO in consultation with the customer:- Pre-signed S3 URL (default). Time-limited, IP-scoped where feasible, single-use.
- Customer-managed S3 bucket. Neuroscale assumes a customer-provided IAM role and writes directly to the customer’s bucket.
- SFTP. Customer-hosted SFTP endpoint with key-based authentication. Used where the customer has a standing SFTP-only policy.
Verification
- The customer is provided with the SHA-256 manifest at delivery.
- The customer confirms successful download and hash match in writing (email or signed receipt). The signed Receipt of Delivery closes the ticket.
- For terminations, the receipt also acknowledges the post-export deletion timeline below.
Retention after export
- Staged extracts in Neuroscale-managed S3 are deleted within 30 days of the customer’s confirmed receipt, or earlier if the customer waives the retention.
- Customer production data (the source data, not the export) is deleted within 60 days post-termination unless extended by the customer’s contract or by a legal hold. Deletion follows the Records Disposal & Certificates of Destruction Procedure.
- Backups retaining the data are aged out per backup-lifecycle policy and are subject to cryptographic erase via key destruction.
- See the Records Retention Schedule for full retention windows.
SLAs
| Tier | Time-to-delivery (from verified request) |
|---|---|
| Standard | 10 business days. |
| Expedited (with contractual entitlement, or by exception with CTO approval) | 5 business days. |
| Large (>1 TB or non-standard format) | Mutually agreed timeline, documented in the ticket and confirmed in writing with the customer. |
Records
The following are retained for 6 years in the SharePoint customer-records library, indexed by customer account:- The Linear ticket (request, approvals, extraction commands, hashes).
- Authentication & authorization evidence (callback notes, signed authorization).
- The SHA-256 manifest.
- The signed Receipt of Delivery.
- Deletion confirmations (staging deletion, source deletion, backup-erase certifications where applicable).
Cross-references
- Data Management Policy
- Cryptography Policy
- Records Retention Schedule
- Records Disposal & Certificates of Destruction
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |