The operational procedure for handling Data Subject Requests (DSRs / DSARs) — the rights granted to individuals under GDPR Articles 15-22, CCPA/CPRA (Cal. Civ. Code §§1798.100-130), and the comprehensive state privacy laws of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, and Rhode Island.
This procedure implements the Data Management Policy and the public Privacy Notice.
Rights covered
Depending on the requester’s jurisdiction and the legal basis Neuroscale relies on, one or more of the following rights apply:
| Right | GDPR | CCPA/CPRA | State laws (CO/CT/VA/etc.) |
|---|
| Access / “know” (copy of personal data and processing details) | Art. 15 | §1798.100, §1798.110 | Yes |
| Deletion / “right to be forgotten” | Art. 17 | §1798.105 | Yes |
| Correction / rectification | Art. 16 | §1798.106 | Yes |
| Portability (machine-readable export) | Art. 20 | §1798.130 | Most |
| Opt-out of sale or sharing | — | §1798.120 | Yes |
| Opt-out of targeted advertising | — | (CPRA) | Yes |
| Opt-out of profiling / automated decision-making with legal or similarly significant effects | Art. 22 | (CPRA regs) | CO, CT, others |
| Restriction of processing | Art. 18 | — | — |
| Object to processing | Art. 21 | — | Limited |
| Withdraw consent (where consent is the legal basis) | Art. 7(3) | — | Yes |
| Non-discrimination for exercising rights | — | §1798.125 | Yes |
| Appeal of denied request | — | — | Yes (CO, CT, VA, others) |
Receipt channels
Neuroscale accepts DSRs via any reasonable channel:
A “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link are maintained on the public site footer per CPRA §1798.135.
Triage and routing
| Step | Owner | SLA |
|---|
| 1. Receipt logged in the DSR tracker | General Counsel (Privacy Officer) | Same business day |
| 2. Initial classification (right requested, jurisdiction, role) | General Counsel (Privacy Officer) | 2 business days |
| 3. Identity verification | General Counsel (Privacy Officer) | 5 business days |
4. Engineering ticket opened in Linear (#privacy queue) | General Counsel (Privacy Officer) | After verification |
| 5. Engineering executes (locate, export, correct, or delete) | Engineering Lead / data owner | Per overall timeline |
| 6. CISO confirms deletion is complete and verifiable (including backups) for delete requests | CISO | Before response |
| 7. Response sent to requester | General Counsel (Privacy Officer) | Per timeline below |
| 8. Record closed in tracker; evidence filed | General Counsel (Privacy Officer) | At close |
Identity verification
Verification is proportionate to the sensitivity of the data and the risk of unauthorized disclosure (GDPR Art. 12(6); CCPA regs §7060-7062). Default rules:
- Anonymous browser data only (cookies, opt-out signals, GPC) — do not require login or additional verification; honor by signal.
- Account-holder data — require sign-in to the account plus MFA. No additional ID needed.
- Customer-employee data submitted by an employee of a customer — verify via the customer’s SSO; route to the customer (Neuroscale is processor — see On-behalf-of-end-user requests).
- Neuroscale employee or contractor data — require Rippling + MFA; coordinate with CHRO. See Employee Privacy Policy.
- Sensitive data, deletion of high-risk records, or no available account — request a government-issued ID (matched to the data on file and then immediately destroyed) plus a signed declaration under penalty of perjury, per CCPA regs §7062(b).
- Authorized agents — require (i) written, signed statement of authority from the data subject (or a power of attorney), and (ii) the agent’s own identity verification, and (iii) where the agent is a business, evidence of California Secretary of State registration if claiming under CCPA. Neuroscale may also contact the data subject directly to confirm.
If verification fails, Neuroscale will request additional information once. If still not verified, the request is closed as “unable to verify” with notice to the requester and a record retained.
Do not collect more identifying information than is necessary to verify. Any identity documents collected for verification are deleted within 30 days of verification (or sooner once verification is complete).
Timelines
| Regime | Initial response | Extension | Notice required |
|---|
| GDPR / UK GDPR | 30 calendar days | +60 days for complex requests | Yes — within initial 30 days, with reasons |
| CCPA / CPRA | 45 calendar days | +45 days when reasonably necessary | Yes — within initial 45 days |
| Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Delaware, Indiana, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island | 45 calendar days (most) / 60 (a few) | +45 days where permitted | Yes — within initial period |
| Appeals (state laws that provide for appeal) | 45-60 days | Per statute | Notice of result and AG contact info |
Response content
Responses include:
- The action taken (or refusal with grounds).
- For access requests, the data in a portable, machine-readable format (typically JSON or CSV) covering the prior 12 months by default; longer where the requester asks and where it is feasible.
- The categories of personal data, sources, business or commercial purposes, categories of recipients, and retention periods (CCPA §1798.110).
- Statement of any rights the requester has not yet exercised (right to delete, right to opt-out, etc.).
- The right to appeal (where applicable) and the procedure for doing so.
Refusal grounds
Neuroscale may refuse, charge a reasonable fee for, or limit a response when a request is manifestly unfounded or excessive (GDPR Art. 12(5)) — for example, repetitive requests — or when a statutory exemption applies, including:
- Conflicts with legal obligations Neuroscale must comply with.
- The data is necessary to detect security incidents or prosecute fraud (CCPA §1798.105(d)(2)).
- Compliance with a legal claim, exercise of free expression, scientific research with appropriate safeguards, or other GDPR Art. 17(3) / CCPA §1798.105(d) exemptions.
- Identity cannot be verified after a reasonable opportunity.
- The request would require disclosure of trade secrets or another individual’s personal data that cannot be redacted.
A refusal is communicated in writing with the specific reasons and the requester’s right to appeal, complain to the supervisory authority (GDPR — the lead DPA; CCPA — the California Privacy Protection Agency or AG; state AGs), or seek judicial remedy.
Records and retention
The DSR tracker captures, for each request:
- Date received, date verified, date closed.
- Channel of receipt and jurisdiction.
- Right(s) requested and outcome.
- Verification method.
- Materials sent to the requester (linked).
- Internal tickets and approvers.
Records are retained for 6 years from closure (exceeds GDPR’s 3-year statute of limitations and most state-law audit windows). See Records Retention Schedule.
On-behalf-of-end-user requests (processor role)
When Neuroscale processes personal data on behalf of a customer (Neuroscale = processor; customer = controller / business), and a request from the customer’s end user reaches Neuroscale directly, the procedure is:
- Acknowledge receipt to the requester within 10 business days.
- Confirm whether the data subject is the customer’s end user (vs. a Neuroscale account holder).
- Forward the request to the customer’s designated DPA contact and the customer’s privacy point of contact.
- Assist the customer in fulfilling the request as required by the Customer DPA (including SCCs Module Two/Three obligations) — typically by providing exports, executing deletions, or honoring opt-outs at the customer’s documented instruction.
- Do not act unilaterally on the data; do not respond substantively to the requester beyond directing them to the customer.
Customer-initiated requests (the customer asking Neuroscale to action a request on its end user’s behalf) follow the same workflow but are tracked under the customer’s account in the tracker.
Employee DSRs
Requests from Neuroscale employees, contractors, applicants, and former workers are routed through the CHRO’s office in coordination with the General Counsel (Privacy Officer). Verification is via Rippling + MFA where possible; otherwise government-issued ID. Special considerations:
- Personnel files contain records subject to longer retention (FLSA, EEOC, ERISA) — the Records Retention Schedule and litigation-hold register override deletion. See Records Retention Schedule.
- Performance and disciplinary records may be withheld under exemptions for management’s deliberative processes and records relating to ongoing investigations.
- Health-related records collected under ADA, FMLA, or workers’ comp are kept separate and may be subject to separate access procedures under those statutes.
See the Employee Privacy Policy for the full scope of employee data Neuroscale collects and how it is used.
Roles and responsibilities
| Role | Responsibility |
|---|
| General Counsel (Privacy Officer; also acting as voluntary DPO — see DPO independence note) | Owns DSR program; first reviewer; sole approver of refusals and extensions; signs response. If Art. 37 mandatory DPO is later triggered, an independent DPO is retained. |
| CHRO | Routes employee DSRs; verifies employment-data exemptions |
| CISO | Confirms deletions are technically complete (including backups, logs, derived data); approves identity-verification exceptions for high-risk data |
| Engineering Lead | Tasks engineers to locate, export, correct, or delete data |
| Customer Success (today: CTO; see alias map) | Coordinates customer-routed requests where Neuroscale is processor |
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
