Prepared for: VGC LLP (Kotler / Mori / Greeley)
Prepared by: Cameron Wolfe (in-house)
Subject: Quarterly compliance-program review — May 2026 internal audit and remediation log
Effective period: May 8, 2026 – August 8, 2026
Repo state at packaging: master @ a6d802a (post-L commit)

1. Executive summary

A line-by-line internal audit of the 24 core policies (22 in policies/, 2 in legal/) was completed on May 9, 2026. The audit identified 36 findings across four severity tiers — Critical (6), High (10), Medium (10), Low (10) — plus a network-posture rescoping (Cloudflare One = default; Tailscale = restricted to production-infrastructure access). All 36 findings have been remediated in five commits on master. 23 inline (todo: …) markers remain across the policy set; each is scoped to a question that requires counsel input, vendor selection, or organizational confirmation, and is queued for this review. The policy set as it stands has, in this author’s non-legal view, materially closed the gaps identified in the audit. The work product on which this review should focus is in §3 (Open items requiring counsel input) — the items that the audit explicitly punted to GC.

2. Remediation log

TierCountCommitFiles touchedThemes
Critical626936386Whistleblower rewrite (SOX §806, Dodd-Frank §922 / Rule 21F-17, DTSA §1833(b), NLRA §7); §1514A added to anti-bribery; pre-clearance extended to Restricted-List public-company trades; OWASP-current password hashing; CHRO ownership of Code of Conduct; CPRA §1798.121 SPI section.
High10360f37410Federal-protected classes; BYOD posture; GDPR Art. 22 framing; DE/NJ e-monitoring; trade-compliance review-cadence stamps; NIS2 row; Rule 10b5-1 cooling-off formula; Cal/OSHA §6401.9 procedural elements; visitor-log retention; FCPA gift-threshold rationale.
Networkcae510a7Cloudflare One (WARP + Access + Gateway) as the default network/access layer for all staff; Tailscale restricted to production-access cohort, gated by quarterly access review. Subprocessor list updated.
Medium1002b421c17Personal-information umbrella definitions; canonical anonymous-reporting page (Google Forms retired); GDPR DPO independence note (EDPB / WP243); dataset-card requirement for AI training data (EU AI Act Art. 53); tiered log retention; incident-response privilege framing; Section 16 / Reg FD / Reg G public-company readiness; legal/acceptable-use non-authoritative banner; FCRA + ban-the-box statutory framework.
Low10a6d802a24Single anonymous-reporting URL; entity-name verification; date uniformity; signed-approval-record location; Next Review date on every policy; SEC Reg S-K Item 106 row; tiered market-digestion safe harbor; “Function Leads” capitalization.
Total: 5 commits, 36 findings closed, ~85 files touched (some files appear in multiple tiers).

3. Open items requiring counsel input

The audit deliberately preserved 22 inline TODOs that turn on questions only counsel (or counsel + a business owner) can resolve. They are grouped below in roughly the order recommended for the meeting.

3.1 Whistleblower & escalation infrastructure

#ItemFile / lineDecision needed
W1Audit Committee constitutionlegal/whistleblower.mdx:62; policies/anti-bribery.mdx:116Has the Audit Committee been formally constituted? If not, confirm escalation defaults to the full Board, identify the independent-director point of contact, and align both policies.
W2Anonymous-reporting hotline vendorhelpdesk/anonymous-reportingChoose between NAVEX EthicsPoint, Syntrio, Lighthouse, or alternate. Procurement, DPA review, and a single URL/phone number to drop into the canonical page.
W3EU Whistleblower Directive (2019/1937) triggerlegal/whistleblower.mdx:133Confirm Neuroscale’s EU headcount remains below the 50-worker per-member-state threshold; document the analysis.

3.2 Trade compliance — five linked items

#ItemFile / lineDecision needed
TC1Restricted-party screening toolpolicies/trade-compliance.mdx:56, :123Resolved (2026-05-09): Neuroscale will operate an internal screening service against the U.S. International Trade Administration Consolidated Screening List API (api.trade.gov) plus the published EU FSF and UK OFSI feeds. Counsel to confirm the design, hit-handling, and recordkeeping satisfy the OFAC, BIS, EAR, and EU/UK list-screening obligations referenced in the policy.
TC2EAR classification & ENC eligibility per productpolicies/trade-compliance.mdx:66Confirm the 5D002 / EAR99 classification for each shipped product/SDK with outside trade-compliance counsel. Record in Export Classification Matrix.
TC3BIS encryption registration (ERN)policies/trade-compliance.mdx:76Confirm whether the §740.17 one-time encryption registration has been filed; capture the ERN.
TC4§740.17(b) self-classification report cadence and ownerpolicies/trade-compliance.mdx:77Confirm filing cadence, owner, and the version of the self-classification report on file.
TC5ITAR scope confirmationpolicies/trade-compliance.mdx:106Confirm Neuroscale does not currently develop or supply defense articles/services. Establish the contract-review trigger that brings GC into any future government / military / defense-contractor engagement.
TC6BIS AI rule reconfirmation cadencepolicies/trade-compliance.mdx:100Standing watch — counsel reconfirms applicable BIS thresholds (10^25 / 10^26 FLOP, country tiers) on each material model release and each BIS rule update. Tied to AI2 above.

3.3 EU AI Act tiering

#ItemFile / lineDecision needed
AI1Per-feature AI Act risk-tier reviewpolicies/ai-acceptable-use.mdx:113For each customer-facing AI feature, confirm “limited-risk” tiering under Art. 50; reconfirm before any EU launch and on each material change.
AI2GPAI / systemic-risk threshold reviewpolicies/ai-acceptable-use.mdx:114Confirm whether any Neuroscale model meets the GPAI or systemic-risk thresholds (compute floor presently 10^25 FLOP, evolving). Document analysis on each material model release.

3.4 Employment / privacy — non-CA jurisdictions

#ItemFile / lineDecision needed
EP1Non-U.S. legal-basis documentationpolicies/employee-privacy.mdx:64For any non-U.S. workforce member, document the GDPR Art. 6 / Art. 9 legal-basis analysis (especially legitimate-interest balancing tests) per jurisdiction.
EP2Forward-looking state e-monitoring lawspolicies/employee-privacy.mdx:89Standing watch — refresh the state-statute list each quarter.
EP3CCTV / badge access posturepolicies/employee-privacy.mdx:93Resolved (2026-05-09): the Sterling office (46175 Westlake Dr Ste 300, VA 20165) is operational and uses CCTV only (no badge-access system). Counsel to confirm the posted-notice text and signage placement satisfy Va. Code §18.2-386.1 / §40.1-28.7:5 and federal law; the current employee-privacy text has been narrowed to CCTV.
EP4Forward-looking biometric-privacy lawspolicies/employee-privacy.mdx:104Same standing watch — IL BIPA, TX CUBI, WA HB 1493 are in scope today; CO, NY, NJ, MD, CA SB 1189 etc. expanding.
WV1State-specific WVPP requirementspolicies/workplace-violence.mdx:28Confirm with counsel whether NY (S. 1054 / pending), NJ, IL or other jurisdictions impose WVPP requirements that go beyond the Cal. Lab. Code §6401.9 framework already implemented.
WV2Domestic-violence accommodations outside CApolicies/workplace-violence.mdx:169Identify the equivalent non-CA statutes (e.g., NY Lab. Law §196-b, IL VESSA, NJ SAFE Act) and align procedure-level guidance.

3.5 Insider trading & FCPA recordkeeping

#ItemFile / lineDecision needed
IT1Access Persons list-of-record locationpolicies/insider-trading.mdx:119Resolved (2026-05-09): the Access Persons list is maintained in a restricted SharePoint folder owned by the CFO; access is limited to the CFO, the General Counsel, and named CHRO designees, with quarterly access-review coverage. Counsel to confirm the access-control posture meets the 17 C.F.R. §240.17a-4 / applicable retention obligations.
IT2Specific records-retention periodpolicies/insider-trading.mdx:171; policies/anti-bribery.mdx:130Resolved (2026-05-09): insider-trading and FCPA-relevant records are retained for 7 years, matching the whistleblower investigations baseline. Counsel to confirm 7 years satisfies the §240.17a-4 / FCPA / DOJ Corporate Enforcement floor in light of any pending public-company readiness.
AB1Anti-bribery jurisdictional expansionpolicies/anti-bribery.mdx:16Confirm whether any additional anti-corruption regimes apply as Neuroscale expands (Brazil Clean Companies Act, France Sapin II, etc.).

3.6 EU Cyber Resilience Act

#ItemFile / lineDecision needed
CRA1CRA applicability and compliance-obligation datepolicies/open-source-sbom.mdx:89Counsel to confirm whether Neuroscale’s products fall within the CRA’s “products with digital elements” scope and the applicable compliance date (most obligations phase in through late 2027).

3.7 Cross-border transfers, DPF, and DPIA lead supervisory authority

#ItemFile / lineDecision needed
CB1DPF certificationprocedures/cross-border-transfers.mdx:34Counsel to file the EU-U.S. Data Privacy Framework certification at dataprivacyframework.gov, confirm scope (EU-U.S., UK Extension, Swiss-U.S.), and set the annual recertification reminder on the Compliance Calendar.
CB2Government-access transparency reportprocedures/cross-border-transfers.mdx:120Confirm the cadence (annual is the conventional default) and the publication URL. Recommended placeholder: neuroscale.ai/transparency-report, first report published once Neuroscale receives or formally responds to a government access request, otherwise as an annual “no-receipt” attestation.
DPIA1Lead supervisory authority designationprocedures/dpia.mdx:37Defer until EU operations begin or an Article 27 representative is appointed; counsel to flag the trigger.
The May-2026 internal legal audit produced 50 incremental drafting findings (F1–F51) tracked in Finalization Tasks → Section 14. Eight (F8, F11, F31, F35, F38 [withdrawn], F40, F41, F48) have landed; the remaining are GC-redline candidates and ride into this packet for VGC review. Counsel is asked to red-line the drafting changes proposed below, organized by theme; each cluster is intended to land as one PR after the meeting.
ClusterFindingsThemeLead reviewer
F-LaborF2, F15, F16, F17, F25NLRA §7 carveout in InfoSec; off-duty-conduct narrowing; at-will plus progressive-discipline reconcile; federal-state-local non-discrimination sweeper; annual policy re-acknowledgement codified in HR.VGC employment counsel
F-AbsoluteF5, F18, F19, F33, F34, F44, F45, F46Softening absolute commitments — 24-business-hour access termination tiering; cryptography “doubly protected” hedge; SSL Labs grade reconcile; vuln-SLA exception ceiling; customer data in non-prod reconcile; deployment + vulnerability SLA reconcile.Engineering + GC
F-DataMgmtF22, F23, F24DTSA trade-secret hook; retention-period framing reconcile.GC
F-IRF28, F29, F30, F32CEO escape valve in internal-actor escalation; “promptly notifies” → matrix; CA AG portal row; NIS2 EU-customer trigger.GC + the CISO
F-MechanicalF1, F3, F4, F6, F7, F9, F10, F13, F14, F20, F26, F36, F37, F42, F43, F47, F49, F50, F51Monitoring-consent acknowledgement; personal-use definition; whistleblower content dedupe; access-control implementation cross-ref/reconcile; asset-management handling rules + contractor-equipment scope; BC pandemic scenario + trigger definition; pepper rotation triggers; HR fraud-pressure boilerplate tie-in; threat-intel section status; CCTV state-notice cross-ref; DPO designation sweep + independence reconcile; SAST tooling reconcile; SCC Module 3 selection mirror; physical-sec assessment method; high-risk providers enumeration.GC (drafting redlines)

4. Cross-cutting program decisions to confirm

These are not specific TODOs but program-level posture items the audit assumed and that the GC should explicitly confirm or amend before the next review:
  1. HIPAA descope. Memory of record: HIPAA / PHI / BAA were removed entirely on 2026-05-08; no Neuroscale product handles PHI. Confirm this is still the GC’s position and that no customer pipeline contemplates a HIPAA Covered-Entity / Business-Associate engagement.
  2. GDPR Art. 37 mandatory DPO. The policy set takes the position that Art. 37 is not triggered (no public-authority status, no large-scale regular and systematic monitoring, no large-scale special-category processing) and that the GC performs DPO duties voluntarily. The DPO independence note (policies/roles-responsibilities.mdx) flags the EDPB conflict concerns; the policy commits to retaining an independent DPO if Art. 37 later triggers. Confirm.
  3. Outside-counsel role for GC duties. The compensating-controls table assumes VGC LLP holds the GC role under a standing engagement letter. Confirm the engagement letter scopes the full set of GC duties used in this policy library — breach determination, DPIA sign-off, whistleblower escalation, anti-bribery investigation, trade-compliance license determinations, insider-trading pre-clearance, etc.
  4. Network posture. Cloudflare One is the default VPN/ZTNA layer for all staff; Tailscale is restricted to production-access roles (Engineering On-call, System Owners). The Cloudflare relationship is being treated as a sub-processor of workforce data only (no Customer Personal Data flows through Cloudflare One in normal operation). Confirm that posture is consistent with the executed Cloudflare DPA.
  5. Public-company readiness. The policy library now contains forward-looking sections for Section 16, Reg FD, Reg G, Form 8-K Item 1.05, and Reg S-K Item 106. None applies today. Confirm the appropriate trigger event (Form S-1 filing? Section 12 registration? Specific runway date?) at which counsel will activate those sections.
  6. Privilege framework for incidents. policies/incident-response.mdx now requires a written engagement memo at the start of any P0/P1 incident with potential legal exposure, with forensic vendors retained through outside counsel. Confirm the standing engagement letter contemplates this and that VGC LLP (or designee) is on call for P0/P1 incidents.

5. Suggested agenda for the meeting

  1. (15 min) Open items in §3.1 — whistleblower / Audit Committee / hotline vendor. These have the highest “auditor-visible” cost of leaving open.
  2. (20 min) Trade-compliance items in §3.2 — five linked items that benefit from being decided together. Likely needs outside trade-compliance counsel input on TC2 and TC3. Note TC1 has been resolved on the Neuroscale side (internal api.trade.gov service); confirm legal sufficiency.
  3. (15 min) EU AI Act items in §3.3 and CRA in §3.6.
  4. (10 min) Employment / privacy non-CA items in §3.4 — confirm the per-jurisdiction matrix VGC will maintain.
  5. (10 min) Cross-border transfers (§3.7): file DPF certification and confirm transparency-report cadence; DPIA LSA defers until EU operations.
  6. (20 min) §3.8 legal-audit drafting cluster — walk through F-Labor and F-Absolute first, F-DataMgmt + F-IR + F-Mechanical as time permits.
  7. (10 min) Cross-cutting program decisions in §4 — items 1, 3, 5, 6 in particular.
  8. (10 min) Schedule and ownership for the next quarterly review (target: August 8, 2026).
Pre-reads: this page; the rewritten Whistleblower Policy; the Trade Compliance Policy; and the AI Acceptable Use Policy.

6. Document control

FieldValue
Document typeQuarterly counsel-review pre-read
OwnerGeneral Counsel (VGC LLP — Kotler / Mori / Greeley)
Internal authorCameron Wolfe
ConfidentialityRestricted (Neuroscale internal — privileged work product prepared at the direction of counsel)
Retention7 years per the Records Retention Schedule
Privilege labelPrivileged & Confidential — Attorney-Client Communication / Attorney Work Product