This page is the working punch-list for finishing the compliance docs. Every (todo) marker in the repo is enumerated below, grouped by what kind of decision is needed, so the right person (CISO, Legal, IT, Engineering, People Ops) can sweep through their section and fill in real values.
~68 open (todo) markers across ~20 files as of 2026-05-08 (post-cleanup count) (raw rg "\(todo" docs/, excluding this tracker, handbook/counsel-review-2026-q2.mdx, and templates/agent-rules/). Down from 147/44 after the intake.neuroscale.ai portal went live; GDPR Art. 37 was confirmed not triggered; HIPAA was descoped entirely (the HIPAA Security Policy, BAA Management procedure, and BAA Template were removed; the previous Section 7 “HIPAA-specific items” is retired); the wiki-link block was wired up via 13 new in-project docs; the AI provider stack was approved as customer-facing; the toolchain (status page, Slack, Postgres, Vanta-LMS, Dashlane region, AI tools) was filled in; Better Stack incident-reporting was wired into engineering / key-contacts; and the Sayantani / Brandt / Board-of-Directors directory rows were filled. The Counsel Review Package — 2026 Q2 closed an additional 36 internal-audit findings across 5 commits.Section 14 below captures 50 incremental legal-review findings from a second-pass audit conducted 2026-05-08 — these are drafting / clause / cross-policy-consistency gaps, not (todo) placeholders, so they do not appear in the top-of-page count. Numbers update only when this page is regenerated. A handful of (todo) references in README.md, handbook/how-to-use.mdx, and handbook/review-actions.mdx are meta-references explaining what the marker means and are not real placeholders.

How to use this page

  1. Find the group that matches your area of responsibility.
  2. Open the linked file, replace every (todo: ...) placeholder with a real Neuroscale value.
  3. Open a PR (see the How to mark something done footer).
  4. The next time someone runs rg "\(todo" docs/, your section should be empty.
Treat (todo) markers as drafts, not policy. Until they are resolved, the surrounding paragraph cannot be relied on for an audit. Auditors and customers should not see this site (and especially the /public/ pages) until this list is empty (or close to it).
A second cleanup pass landed 2026-05-08, completing every high-confidence default in this tracker. Remaining items that need user judgement (vendor decisions, counsel review, scope decisions) are itemized in REVIEW_1.md at the repo root.

Summary by group

GroupOpen items
1. Effective dates & version-history rowsresolved
2. People & roles to assign4
3. Wiki / Notion / SharePoint links to wire upresolved
4. Linear / Vanta / Better Stack / GitHub URLs to confirm3
5. Tooling decisions8
6. Numeric thresholds, frequencies, retention periods, SLAs21
7. Privacy / GDPR / CCPA items6
8. Public / external content7
9. Templates needing GC sign-off6
10. Scope decisions (SOC 2 / ISO / FedRAMP)7
11. Counsel-review (multi-jurisdictional, regulatory)14
12. Anonymous-hotline migration8
13. Other6
14. Legal review findings (May 2026 audit)50
Use the group counts as planning units; use the linked file:line as the source of truth.

Open gaps found in audit

Issues that need triage but are not pure value-fill placeholders.
  1. handbook/compliance-frameworks.mdx:52 — CCPA owner is (todo: assign) but the same matrix gives Privacy Officer = GC. Resolve to “General Counsel (Privacy Officer)”.
  2. policies/insider-trading.mdx:34 and :98 — same Access-Persons-list-owner placeholder appears twice. Two separate (todo)s for what is one decision.
  3. procedures/data-retention-matrix.mdx:10 and :26 — customer-data deletion window after contract termination is (todo) in two places (matrix row + body paragraph). Must agree when filled in. Same value also referenced from handbook/compliance-calendar.mdx:154 — three places to update.
  4. policies/anti-bribery.mdx:114(todo: confirm Audit Committee exists) overlaps with legal/whistleblower.mdx:29 (todo: confirm) Audit Committee row. Single decision; should resolve both at once.
  5. policies/insider-trading.mdx:130, policies/employee-privacy.mdx:176, policies/anti-bribery.mdx:112, policies/workplace-violence.mdx:58, index.mdx:89 — five places with the same “replace Google Form with anonymous hotline” todo. One vendor decision unblocks all of them; group with the Whistleblower Policy link.
  6. procedures/cross-border-transfers.mdx:33 — DPF certification (todo) says “register at dataprivacyframework.gov” but does not specify the SCC Module choice (2/3/4) when DPF is unavailable. The DPA template at templates/dpa-template.mdx references SCCs but does not pin a Module either — adversarial readers (auditors, customers’ counsel) will ask. Add module selection guidance.
  7. policies/trade-compliance.mdx:54 and :121 — same screening-tool (todo) appears twice with the same options list. One decision; two placeholders.
  8. public/cookie-notice.mdx:48-49 — Analytics and Marketing cookie rows have (todo: confirm) for both provider and purpose; without these the cookie banner CMP cannot be configured, which blocks GDPR/ePrivacy compliance for any EU traffic. Critical-path for the privacy program.
  9. templates/dpa-template.mdx:243 — the Neuroscale signature block has Name: **(todo: name)** for the Neuroscale signatory. Should resolve to “General Counsel” or a named officer (likely the GC) and not vary across customers.
  10. Helpdesk / handbook / engineering / template docs now have version-history rows. The prior tracker treated them as out of scope for v1.0 versioning. Decide whether the CISO’s v1.0 approval covers the whole docs library or whether helpdesk / handbook / engineering carry their own ownership and cadence. handbook/how-to-use.mdx still says “Version history is captured in the page footer of each policy” — update that line either way.
  11. (todo: contact address) placeholders — resolved 2026-05-08; the canonical NEUROSCALE LLC address (46175 Westlake Dr Ste 300, Sterling, VA 20165) was applied across all 8 placeholders in /public/* and the DPA template’s registered-office row.
  12. Live published pages are out of date with the entity decision. neuroscale.ai/privacy and neuroscale.ai/terms still sign as “Neuroscale, Inc. (Delaware corporation)” with Delaware governing law. The drafted /public/* versions in this docs site use NEUROSCALE LLC (Virginia LLC, Virginia governing law). Republish blocker — schedule the live-site swap with GC sign-off.
  13. Code of Conduct non-discrimination clause needs a verbatim Title VII / state-equivalent listing. policies/code-of-conduct.mdx:24,34. Per handbook/review-actions.mdx Top-5 #4: add the standard “race, color, religion, sex (including pregnancy, sexual orientation, gender identity), national origin, age, disability, genetic information, veteran status, or any other characteristic protected by applicable federal, state, or local law” listing; add ADA reasonable-accommodation language; revisit the weapons clause against state parking-lot statutes (TX, TN, FL, MS, OK).
  14. At-will / reservation-of-rights / SEC §21F-17 carveout footer missing on policies. Per handbook/review-actions.mdx Top-5 #5: every policy should carry a footer reserving Neuroscale’s right to amend, preserving at-will employment, and carving out SEC Rule 21F-17 protected whistleblower rights. The “progressive discipline” reference in policies/human-resources-security.mdx:62 can be construed to abrogate at-will employment without this carveout.
  15. DTSA §1833(b) trade-secret immunity notice not present anywhere. Without this notice on confidentiality / employment / contractor agreements, exemplary damages and attorneys’ fees under the federal Defend Trade Secrets Act are forfeited. Per handbook/review-actions.mdx.
  16. FCRA adverse-action process gap in HR Security policy. policies/human-resources-security.mdx references background checks but does not codify the FCRA pre-adverse / adverse-action workflow. The Adverse Action Letter template exists; the policy text should reference it and describe the required pre-adverse → 7-business-day wait → adverse-action sequence.
  17. Bug bounty program details placeholder. public/trust-center.mdx:48 advertises a bug bounty with (todo: confirm program details); engineering/vulnerability-management.mdx tracker note says it’s “private (invite-only)” placeholder. Decide: launch (with scope, rewards, disclosure SLA), keep private, or remove the trust-center mention.
  18. /tmp/ns-policies-review.md and /tmp/ns-legal-review.md are referenced from handbook/review-actions.mdx but /tmp is volatile. Copy both source reports into Notion or SharePoint and update the reference URLs before they get garbage-collected.

1. Effective dates & version-history rows

Resolved as of 2026-05-08. Every policy header Effective Date and every v1.0 history-row Date cell across the docs library is now filled in with May 8, 2026, with Cameron Wolfe as Author and Ishan Jadhwani as Approver. Public docs (/public/*) carry the same Effective date and a matching Last-updated value.

2. People & roles to assign

The Roles & Personnel matrix is now the canonical source. The Personnel directory and Key Contacts directory are filled in (Board, Executive Team, PR/Insurance, External-DPO retirement); these are the remaining named-role placeholders.
ItemFileAction
CCPA / CPRA ownerhandbook/compliance-frameworks.mdx:52Resolve to “General Counsel (Privacy Officer)”.
Access Persons list owner (likely CFO)policies/insider-trading.mdx:34, :98GC + CFO; same decision in two spots.
Audit Committee whistleblower channel — confirmlegal/whistleblower.mdx:29Legal. Same decision as below.
Audit Committee exists? (anti-bribery escalation)policies/anti-bribery.mdx:114Legal — confirm and remove placeholder.
Resolved as of 2026-05-07. Every “(todo: link to X wiki / Notion / SharePoint)” placeholder in this group now points at a Neuroscale-authored doc inside this site. The new docs are listed below — each one replaced one or more (todo) markers in source files.
New docReplaced placeholders in
Standard Access Matrixhelpdesk/account-requests.mdx:19, procedures/access-management.mdx:39, policies/access-control.mdx:155
Vendor Inventoryprocedures/vendor-risk-assessment.mdx:27 and the body inventory section
Controls Inventoryengineering/configuration-hardening.mdx:75
Rollback Procedureengineering/change-management.mdx:16
AWS Root Account Compromise Playbookpolicies/incident-response.mdx:113, :192
RTO / RPO Matrixpolicies/business-continuity.mdx:66
Disposal Log and approved-vendor list inline at Records Disposalpolicies/asset-management.mdx:54, procedures/records-disposal.mdx:72, :90
Transfer Impact Assessment Templateprocedures/cross-border-transfers.mdx:75
Customer Communications Templatesprocedures/customer-communications.mdx:47
Restricted List Runbookpolicies/insider-trading.mdx:52
Gifts & Hospitality Registerpolicies/anti-bribery.mdx:73
AI Review Logpolicies/ai-acceptable-use.mdx:152
AI Model Registrypolicies/ai-acceptable-use.mdx:105
Export Classification Matrixpolicies/trade-compliance.mdx:68
Engineering tab (existing)policies/secure-development.mdx:69
Appendix B incident form already wired to Security Incident intake (Section 1 above)policies/incident-response.mdx:190
The “Anonymous whistleblower service (EthicsPoint / NAVEX / etc.)” (todo) at legal/whistleblower.mdx:28 is not a wiki link — it is a vendor decision and is tracked in Section 13 — Anonymous-hotline migration. The (todo) at handbook/how-to-use.mdx:20 is the meta-example that explains what a (todo) marker looks like; it is intentional and excluded from the count.

4. Linear / Vanta / Better Stack / GitHub URLs to confirm

Specific external-tool URLs that need a real link, not a wiki page.
ItemFileAction
Statement of Applicability in Vantahandbook/compliance-frameworks.mdx:30CISO — paste Vanta SoA URL.
Access-review source-of-truth (Vanta or internal script)procedures/access-reviews.mdx:17CISO.
Subprocessor-change subscription formpublic/subprocessor-list.mdx:22, :57Marketing / Privacy — wire up subscription endpoint.

5. Tooling decisions

Wherever a docs page says “name endpoint protection / SIEM / IdP / scanner / training vendor / screening tool,” a real product needs to be filled in (and procurement / contracts should match).
DecisionFile
Penetration testing vendorengineering/vulnerability-management.mdx:25
Firewall / DDoS protection (e.g., AWS Shield, Cloudflare)engineering/configuration-hardening.mdx:25
Runtime vulnerability / threat-detection toolengineering/configuration-hardening.mdx:41
Vulnerability scannerprocedures/data-retention-matrix.mdx:14
Action: the CISO + Engineering pick the tooling stack; Procurement confirms contracts; the docs are updated in one PR per area.

6. Numeric thresholds, frequencies, retention periods, SLAs

Every concrete number that’s still a placeholder.
ThresholdFileSuggested
Static service-account key rotationengineering/secrets-management.mdx:24e.g., every 90 days
Database password rotation cadenceengineering/secrets-management.mdx:25
Remote-access session timeout (hours)engineering/configuration-hardening.mdx:71
ThresholdFile
Customer-impacting change announcement lead timeengineering/change-management.mdx:12
Helpdesk email SLAhelpdesk/index.mdx:12
Security-issue triage acknowledgement SLAhelpdesk/report-security-issue.mdx:30
Standard SaaS access provisioning SLAhelpdesk/account-requests.mdx:27
Production / privileged access SLAhelpdesk/account-requests.mdx:28
ThresholdFile
Remote-employee device-return windowprocedures/offboarding.mdx:11
Customer-data deletion window after contract termination (matrix)procedures/data-retention-matrix.mdx:10
Customer-data deletion window restated in bodyprocedures/data-retention-matrix.mdx:26
Customer-data deletion restated in compliance calendarhandbook/compliance-calendar.mdx:154
ItemFile
Support tickets retentionprocedures/data-retention-matrix.mdx:11
Support call recordings retentionprocedures/data-retention-matrix.mdx:12
Security event / log retentionprocedures/data-retention-matrix.mdx:13
Vulnerability scan results retentionprocedures/data-retention-matrix.mdx:14
CRM / sales data retentionprocedures/data-retention-matrix.mdx:15
QA scenarios / test data retentionprocedures/data-retention-matrix.mdx:16
Whistleblower investigation records retentionlegal/whistleblower.mdx:49, handbook/compliance-calendar.mdx:159
Insider-trading records retentionpolicies/insider-trading.mdx:145
FCPA-relevant records retentionpolicies/anti-bribery.mdx:128
CadenceFile
Quarterly access reviewhandbook/compliance-calendar.mdx:27
Annual penetration testhandbook/compliance-calendar.mdx:28
Annual policy re-acknowledgementhandbook/compliance-calendar.mdx:29
Annual BC/DR testhandbook/compliance-calendar.mdx:30
Annual IR tabletophandbook/compliance-calendar.mdx:31

7. Privacy / GDPR / CCPA items

ItemFileAction
DPF certification status (register at dataprivacyframework.gov)procedures/cross-border-transfers.mdx:33GC + CISO; set annual recertification reminder.
SCC Module choice (2/3/4) when DPF unavailable(gap — not currently parameterized in templates/dpa-template.mdx)GC — add Module-selection text.
Government-access transparency report cadence + URLprocedures/cross-border-transfers.mdx:120GC + CISO.
CCPA / CPRA owner — resolve (todo: assign)handbook/compliance-frameworks.mdx:52Resolve to GC (Privacy Officer).
Employee-privacy non-U.S. jurisdictions counsel reviewpolicies/employee-privacy.mdx:64, :84, :88, :99GC — see also section 12.
DPA SCC Annex categories of data subjects + data + sensitive-data flagtemplates/dpa-template.mdx:182-184GC + Product.
EU / UK Article 27 representatives are intentionally not appointed as of 2026-05-07; see the Public site reconciliation note. DSR tracker (Linear DSR Tracker project) and DPIA register (Linear DPIA Register project) are wired in the procedures and no longer carry (todo) markers.

8. Public / external content

Customer-facing pages that must be clean before any auditor or prospect sees them. Contact address resolved 2026-05-08 — NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165 — applied across /public/privacy-notice.mdx (3 places), /public/subprocessor-list.mdx, /public/cookie-notice.mdx, /public/terms-of-service.mdx, /public/california-applicant-personnel-notice.mdx (2 places), and /templates/dpa-template.mdx.
ItemLine
Subscription form for change notices (2 references)public/subprocessor-list.mdx:22, :57
AWS region confirmation (EU regions?)public/subprocessor-list.mdx:30
ItemLine
SOC 2 report link (when available)public/trust-center.mdx:19
Bug bounty program detailspublic/trust-center.mdx:48
ItemLine
Republish to neuroscale.ai/terms (live page still shows “Neuroscale, Inc. (Delaware)“)live neuroscale.ai/terms
Publishing addresses to confirm: neuroscale.ai/privacy, neuroscale.ai/cookies, neuroscale.ai/subprocessors, neuroscale.ai/trust, neuroscale.ai/terms, plus the CA Applicant & Personnel Notice URL (e.g., neuroscale.ai/ca-privacy). All pages should be reviewed by GC before publication, paired with a CMP rollout for the cookie banner. The live /privacy and /terms pages need to be republished against the LLC entity (Virginia governing law) — see open-gap #22.

9. Templates needing GC sign-off

Customer-facing fillable templates. All use {{placeholder}} syntax for customer-side fields and (todo) markers for Neuroscale-side fields that need GC’s final pen.
TemplateOpen items
DPA TemplateSCC Annex categories of data subjects :182; categories of personal data :183; sensitive-data flag :184; Neuroscale signatory name :243
Background Check Consent(no (todo) markers; GC review of disclosure language pending)
Adverse Action LetterDate of pre-adverse-action letter — runtime field rather than template fixture :78; GC review of FCRA wording
Action: GC reviews all three and signs off on a v1.0 of each — same approval workflow as the policy v1.0s.

10. Scope decisions — SOC 2 / ISO / FedRAMP

DecisionFileAction
SOC 2 — Availability in scope?handbook/compliance-frameworks.mdx:19CISO + auditor.
SOC 2 — Confidentiality in scope?handbook/compliance-frameworks.mdx:20CISO + auditor.
SOC 2 — Processing Integrity in scope?handbook/compliance-frameworks.mdx:21CISO + auditor.
SOC 2 — Privacy in scope?handbook/compliance-frameworks.mdx:22Legal + CISO.
Audit firm choice (Prescient Assurance / A-LIGN / etc.)handbook/compliance-frameworks.mdx:24CFO + CISO.
First report periodhandbook/compliance-frameworks.mdx:24CFO + auditor.
ISO 27001 SoA in Vanta — linkhandbook/compliance-frameworks.mdx:30CISO.
FedRAMP roadmap: not currently in scope; revisit if any U.S. federal customer engagement is contemplated.

11. Counsel-review (multi-jurisdictional, regulatory)

These are not “fill in a value” tasks — they are pending counsel reviews. Group them so the GC (VGC LLP) can batch them.
ItemFile
Workplace-violence statutory coverage outside CA (NY, NJ, etc.)policies/workplace-violence.mdx:28, :136
Anti-bribery — additional jurisdictions as Neuroscale expandspolicies/anti-bribery.mdx:16
Anti-bribery — gift/hospitality dollar thresholdspolicies/anti-bribery.mdx:60
Trade compliance — Russia/Belarus EAR scope review datepolicies/trade-compliance.mdx:46
Trade compliance — 5D002 / ENC eligibility per productpolicies/trade-compliance.mdx:64
Trade compliance — BIS encryption registration / ERNpolicies/trade-compliance.mdx:74
Trade compliance — annual self-classification reportpolicies/trade-compliance.mdx:75
Trade compliance — BIS AI rule applicability (10^25/10^26 FLOP)policies/trade-compliance.mdx:98
Trade compliance — ITAR scope confirmationpolicies/trade-compliance.mdx:104
AI Acceptable Use — EU AI Act tiering per featurepolicies/ai-acceptable-use.mdx:113
AI Acceptable Use — GPAI / systemic-risk thresholdpolicies/ai-acceptable-use.mdx:114
Open-Source / SBOM — EU CRA applicability + compliance datepolicies/open-source-sbom.mdx:89
Employee Privacy — non-U.S. jurisdictions; CCTV/biometric/notice statutespolicies/employee-privacy.mdx:64, :84, :88, :99
Pre-employment background-screening jurisdictional add-ons (FCRA-equivalents)(no explicit (todo), implicit in templates/background-check-consent.mdx GC review)

12. Anonymous-hotline migration

Eight places currently link the same Google Form (or, in the whistleblower case, name the service generically) as the anonymous-reporting channel. One vendor decision (EthicsPoint, NAVEX, Whispli, etc.) clears all of them.
FileMarker present
index.mdx:89(todo: replace with anonymous hotline)
policies/anti-bribery.mdx:112(todo: replace with anonymous hotline)
policies/code-of-conduct.mdx:83(todo: replace with anonymous hotline) (added 2026-05-07)
policies/employee-privacy.mdx:176(todo: replace with anonymous hotline)
policies/information-security.mdx:42(todo: replace with anonymous hotline) (added 2026-05-07)
policies/insider-trading.mdx:130(todo: replace with anonymous hotline)
policies/workplace-violence.mdx:58(todo: replace with anonymous hotline)
legal/whistleblower.mdx:28(todo: link to anonymous service)
Action: GC + CHRO pick a vendor; one PR replaces all 8 references above with the new URL and fills in the audit-evidence-map row at handbook/compliance-calendar.mdx:190 (currently Anonymous service vendor (todo)).

13. Other

A few items that don’t fit cleanly above.
ItemFileNotes
Define “significant code change reviewer” (e.g., non-author via PR review)policies/secure-development.mdx:26Engineering — confirm wording matches GitHub branch-protection.
Pre-prod / production access training requirementhelpdesk/account-requests.mdx:21Security — decide on training course or attestation.
Offboarding device handling (wiped & reprovisioned vs. wiped & retired)procedures/offboarding.mdx:36IT to confirm.
Access-reviews matrix — system + cadence (4 placeholder rows × 3 cells each)procedures/access-reviews.mdx:27-30CISO.
Press-inquiry email alias (press@?)procedures/customer-communications.mdx:70Comms / CEO.
Compliance-calendar legal-hold tracker locationhandbook/compliance-calendar.mdx:191GC — pick a location (likely the SharePoint Legal folder).
A second-pass legal audit of the 15 core policies was conducted on 2026-05-08, building on the Counsel Review Package — 2026 Q2 (which closed 36 prior findings across 5 commits). The audit surfaced 50 incremental findings — drafting, clause, cross-policy-consistency, and labor-/employment-law gaps that are not (todo) placeholders and therefore not counted in the top-of-page total. They still need to be remediated before external publication. Severity distribution: 10 High, 23 Medium, 17 Low. Findings are listed below; each links the source line and gives a one-sentence recommended action.
F21 from the audit (HIPAA scope contradiction) was checked and resolvedpolicies/hipaa-security.mdx, procedures/baa-management.mdx, and templates/baa-template.mdx no longer exist; the descope is consistent across the docs library. F21 is omitted below.

High-severity findings

These create exposure or are likely customer / auditor redlines. Resolve as a coordinated PR set with GC review.
#WhereIssueRecommended action
F2policies/information-security.mdx:121”Unacceptable use” prohibits sharing employee/customer lists “without authorization” — sweeps in NLRA §7-protected concerted activity (post-Stericycle 2023). Same risk in email/communication restrictions at :127–132.Add an NLRA §7 carveout footer reserving employees’ rights to discuss wages/hours/working conditions and to communicate with co-workers, unions, or government agencies.
F5policies/access-control.mdx:78”Maximum allowable time for access termination: 24 business hours” — across a long weekend stretches to 4+ calendar days; conflicts with offboarding’s “immediate” expectation for involuntary terminations. Extension of Top-5 #4.Tier the SLA: ≤1 hour involuntary/for-cause; same-business-day voluntary; 24-business-hour outer ceiling with CISO sign-off on extensions.
F12policies/business-continuity.mdx:60RTO/RPO commitments outsourced to “AWS and Vultr SLAs” — creates a flow-down gap with the DPA template and exposure to unilateral cloud-SLA changes.RTO/RPO Matrix carries Neuroscale-committed numbers independent of cloud SLA; align BC Policy and DPA template against the matrix.
F15policies/code-of-conduct.mdx:27Off-duty conduct rule “potential to adversely affect safety/well-being” is broader than CA Lab. Code §96(k)/§98.6, NY Lab. Law §201-d, CO §24-34-402.5 etc. permit.Tie the off-duty hook to defined misconduct; add: “This policy does not restrict lawful off-duty conduct that does not affect Neuroscale’s legitimate business interests.”
F28policies/incident-response.mdx:104Internal-actor escalation routes through CEO with no escape valve if the CEO (or someone the CEO would protect) is the actor — contradicts the SOX §806 / Dodd-Frank §21F whistleblower structure.Where the implicated party is the CEO or a board member, escalate to GC with parallel notice to the Audit Committee chair (or, today, the full Board), bypassing the implicated executive.
F34policies/operations-security.mdx:82”Scrubbed of any sensitive information whenever feasible” undermines the rule and conflicts with the customer DPA expectation.Replace with “raw Confidential customer data is prohibited in non-production environments; pseudonymized/anonymized data permitted only with CTO + CISO approval, time-bounded to the testing window.”
F39policies/risk-management.mdx:28-32”Internal audit ensures…” — Neuroscale has no internal-audit function; auditors will ask who performs the role and there is no answer.Replace “Internal audit” with “the CISO, in coordination with the General Counsel and as part of the annual policy review cycle, ensures…” or assign to a named role (CISO + external SOC 2 auditor for fieldwork).
F42policies/roles-responsibilities.mdx:80, :207”GC voluntarily performs DPO duties” framing only holds if no Neuroscale-published document names a “Data Protection Officer.” If one does, Art. 38(6) independence requirement attaches involuntarily.GC + CISO sweep /public/* and /templates/* to confirm no document names a DPO; remove or accept the Art. 37 designation and its consequences.
F44policies/secure-development.mdx:87”No code is deployed to production without documented, successful test results” — absolute commitment that conflicts with operations-security:35 emergency-change provision.Soften to “except for emergency changes per the emergency-change provision in the Operations Security Policy” with CISO/Engineering Lead approval recorded.
F45policies/secure-development.mdx:91”Within 90 days of discovery” patch SLA contradicts operations-security:181 tiered SLA (Critical 7d, High 30d, Medium 60d, Low 90d). Auditors will read 90 days as the binding floor for High and Critical.Replace with “per the SLA table in the Operations Security Policy.”

Medium-severity findings

Program hygiene and cross-policy consistency. Should be fixed this year.
#WhereIssueRecommended action
F1policies/information-security.mdx:100Open-ended monitoring clause without explicit no-expectation-of-privacy / consent acknowledgement (ECPA §2511(2)(d); CA Penal Code §632 and other two-party-consent statutes).Add: “Users have no expectation of privacy in their use of Neuroscale systems. By accessing or using Neuroscale systems, users consent to such monitoring as permitted by applicable law.” Cross-link to Employee Privacy Policy.
F3policies/information-security.mdx:98”Personal use must be reasonable” is undefined — Stericycle overbreadth concern when used to discipline.Anchor with non-exhaustive examples or quantitative limits (no business cost, no impairment of duties).
F6policies/access-control.mdx:35-37External-ID uniqueness rule has no implementing mechanism / control test — aspiration not control.Cross-reference engineering doc with the actual implementation and add a control-testing reference.
F7policies/access-control.mdx:41 vs :63Shared-admin password-manager carveout contradicts the absolute “prevent generic admin-ID use” rule.Either explicitly scope the carveout (BC/break-glass with named approvers and check-out logging) or remove the absolute prohibition.
F9policies/asset-management.mdx:42”Reasonable judgment and exercise due care” is the only stated handling standard — thin for a company subject to state breach laws keyed to “unauthorized acquisition of unencrypted PI.”Add concrete handling rules (no unattended in vehicles, never checked baggage, FDE required, immediate reporting on loss/theft).
F10policies/asset-management.mdx (entire policy)Scope is “Neuroscale-owned or -managed” — contractor-controlled equipment storing Neuroscale data is not addressed.Expand scope or cross-reference Third-Party Management Policy contractor-device requirements.
F11policies/business-continuity.mdx:52-53Roles table has self-referential rows (“CEO (with CFO) … in conjunction with CEO and CFO”; “CTO (with CEO) … in conjunction with CTO”). Drafting error.Rewrite the two rows so each role coordinates with a different role.
F16policies/code-of-conduct.mdx:75, :89”Disciplinary consequences in proportion to their violation” reads as an implied progressive-discipline commitment — adds to at-will abrogation argument flagged in Top-5 #5.Add inside the disciplinary section: “Neuroscale retains sole discretion to determine appropriate action; nothing herein creates a contractual right to progressive discipline or continued employment.”
F17policies/code-of-conduct.mdx:33”Be welcoming” listing without “any other characteristic protected by applicable federal, state, or local law” sweeper. Extension of Top-5 #3.Add the federal-state-local sweeper at line 33 and confirm parity with the line-54 list.
F18policies/cryptography.mdx:34”Doubly protected” — any single workload skipping Vault Transit (queue payload, analytics export) makes the assertion false in fact.Hedge: “For Confidential customer data on either cloud, Neuroscale’s standard architecture applies the application-layer Vault Transit wrap in addition to the provider’s at-rest encryption. Specific workloads may rely on provider-managed encryption alone where documented in the system inventory and approved by the CISO.”
F19policies/cryptography.mdx:43 vs :81Two different SSL Labs commitment levels in the same policy (“B or greater” in the table; “A or better” in the operational text).Reconcile — target “A,” allow degradation to “B” only with documented exception.
F22policies/data-management.mdx:43-58”Confidential” definition does not declare that confidential data may include “trade secrets within the meaning of 18 U.S.C. §1839” — without this hook, downstream confidentiality clauses cannot reliably invoke DTSA §1836 civil remedies. (Parallel to the missing §1833(b) immunity notice in the existing tracker.)Add: “Confidential information also includes information that qualifies as a ‘trade secret’ under the Defend Trade Secrets Act (18 U.S.C. §1839) and analogous state law.”
F23policies/data-management.mdx:117”Data owners may determine retention periods” — no ceiling, no GC ratification, no requirement to document in Records Retention Schedule; conflicts with GDPR Art. 5(1)(e) storage-limitation principle.Add: “Retention periods for PII / Personal Data require documentation in the Records Retention Schedule and, for Personal Data subject to GDPR, justification under the storage-limitation principle. Indefinite retention is not permitted.”
F24policies/data-management.mdx:119 vs :129”PII deleted as soon as it no longer has business use” is an unverifiable absolute that conflicts with the more defensible formulation at :129 (“retained only as long as we have a legitimate business purpose”).Replace :119 with: “PII is retained only as long as Neuroscale has a documented business or legal purpose, after which it is deleted or de-identified per the Records Retention Schedule.”
F25policies/human-resources-security.mdx:46Annual re-acknowledgement is on the calendar but not codified in the HR policy.Add: “Employees and contractors re-acknowledge the policy library annually, on material policy changes, and on role change that materially shifts data access.”
F27policies/human-resources-security.mdx:22Background-check threshold “based on access level and risk” — undefined; SOC 2 third-party-control evidence wants a tier definition.Tier the requirement and align with the Background Checks Procedure.
F30policies/incident-response.mdx:155Cal. Civ. Code §1798.82 row omits §1798.29 (state-agency) parallel and the California AG submission portal required for breaches affecting > 500 California residents.Add a row or footnote for “California AG submission required at oag.ca.gov/privacy/databreach/reporting.”
F33policies/operations-security.mdx:181-188Vulnerability remediation SLA exception (“show a risk-treatment plan”) has no maximum overrun, no approval requirement, no ceiling on plan duration.Require CISO sign-off on any extension and an outer ceiling (e.g., no extension beyond 2× the SLA without CEO approval).
F36policies/operations-security.mdx:163-170Threat-intelligence section reads as future-tense aspiration (no owner, cadence, or evidence) for a v1.0 effective-dated policy.Either (a) point at a procedure with owner/cadence/evidence, or (b) move to “Planned controls” with a target date.
F37policies/physical-security.mdx:36, :52CCTV / video-surveillance retention without state-notice cross-reference (CT, DE, NY Lab. Law §52-c, CA workplace-monitoring rules).Add: “Where Neuroscale operates CCTV at a facility, posted notice and any state-law-required notice or consent is provided per the Employee Privacy Policy and applicable state law.”
F40policies/risk-management.mdx:46-55Risk categories don’t include “AI / Model Risk” — NIST AI RMF, EU AI Act Art. 9, and the AI Acceptable Use Policy all expect this category.Add “AI / Model Risk” as an explicit category and cross-reference AI Acceptable Use.
F43policies/roles-responsibilities.mdx:197-208”Outside counsel may serve as DPO if independence is documented” is hard to satisfy when VGC LLP is the GC; leaves the future-DPO choice ambiguous.Reconcile to: “If Art. 37 is triggered, an independent third party (DPO-as-a-service or a separate firm not engaged as GC) is retained. Outside counsel currently engaged as GC will not be designated DPO.”
F46policies/secure-development.mdx:101 vs policies/data-management.mdx:92Secure Development permits customer data in test “with permission of data owner and CTO”; Data Management flatly prohibits it. Two policies, two rules.Defer Secure Development to the Data Management Policy formulation (flat prohibition with explicit exception via CTO + CISO approval).
F49policies/third-party-management.mdx:39Sub-processor SCCs “where applicable” without specifying Module 2 (controller→processor) vs. Module 3 (processor→processor). For sub-processors, Module 3 is the right choice.Add “Sub-processor SCCs use Module 3 (processor-to-processor) where Neuroscale acts as processor for the customer.” Aligns with open-gap #6.
F51policies/third-party-management.mdx:74”High-risk providers” not enumerated; the AI sub-processors (Anthropic, OpenAI, xAI Grok, Cerebras) listed as customer-facing sub-processors should be the named “high-risk” providers.Add a defined-list reference: “High-risk providers include AWS, Vultr, and AI sub-processors enumerated on the Subprocessor List; annual review covers each, plus DPA and AI no-training reps.”

Low-severity findings

Drafting / hygiene; can be batched into a cleanup PR.
#WhereIssueRecommended action
F4policies/information-security.mdx:36-42 vs policies/code-of-conduct.mdx:77-85Whistleblower content duplicated with subtly different scope across two policies.Consolidate to a single canonical source (legal/whistleblower.mdx) and have both policies link to it rather than restate.
F8policies/access-control.mdx:70Hard-codes the current quarter’s Linear project URL (“Q2Y26”) into policy text.Reference the parent “Access Reviews” Linear team or a procedure page that lists current/recent cycles, not the per-cycle project.
F13policies/business-continuity.mdx:75-92No pandemic / extended-remote-operation scenario — ISO 27001 A.5.30 and most enterprise questionnaires expect explicit coverage post-2020.Add a one-paragraph “Pandemic / extended remote operation” scenario noting operations continue remotely with no facility dependency.
F14policies/business-continuity.mdx:25-27”Major disruption” undefined — no objective activation trigger.Define materiality (e.g., service degradation > X hours, multi-region outage) so the activation trigger is non-discretionary.
F20policies/cryptography.mdx:65Pepper rotation “on suspected compromise” has no triggering definition or declarer.Define triggers (Vault audit log shows unauthorized access; app DB exposed; for-cause termination of someone with pepper access) and the declarer (CISO or Incident Manager).
F26policies/human-resources-security.mdx:54”Excessive pressures and opportunities for fraud” reads as ISO 27001 A.6 boilerplate with no operational tie-in.Either remove or tie to an actual review (e.g., annual review of incentive structures and SoD by CHRO + CFO; results in risk register).
F29policies/incident-response.mdx:123”Promptly notifies” is undefined and creates interpretive risk against the breach-notification matrix.Replace with “in accordance with the Breach Notification Timing Matrix below and any shorter contractual deadline in scope.”
F31policies/incident-response.mdx:142Hardcodes Capital One precedent without state-law privilege variants.Generalize (“federal and state precedent including In re Capital One, Wengui v. Clark Hill, etc.”) or remove the case citation.
F32policies/incident-response.mdx:161NIS2 row needs a triggering checklist for new EU-customer engagements that may flow down a notification obligation.Add: “On any new EU customer engagement, GC confirms whether the customer’s NIS2 designation flows down a notification obligation.”
F35policies/operations-security.mdx:13513-month log-retention rationale conflates evidence retention with the 72-hour GDPR Art. 33 notification clock.Reword to “supports retrospective determination of when the controller became aware of a breach” rather than linking to the 72-hour clock.
F38Withdrawn 2026-05-08: Neuroscale does operate a physical office at 46175 Westlake Dr Ste 300, Sterling, VA 20165; the Physical Security Policy was updated to reference that office explicitly. The “Neuroscale is remote-first” framing in the original audit was incorrect.
F41policies/risk-management.mdx:76Vanta risk-register hyperlink resolves to a login page for non-tenant readers.Add a parenthetical “(Vanta tenant — internal access)” so a customer reviewer knows it’s not a public link.
F47policies/secure-development.mdx:93Names “GitHub Advanced Security and Snyk” — may be stale vs. canonical SAST/DAST tooling.CISO to confirm canonical SAST/DAST tooling and reconcile this line with engineering/vulnerability-management.mdx.
F48policies/third-party-management.mdx:24Lists “PCI DSS” as a tracked vendor regulatory regime — PCI is out of scope for Neuroscale.Replace with “(ISO 27001, SOC 2, CCPA, GDPR, and any other certification or regulation a customer flow-down requires).”
F50policies/third-party-management.mdx:104Physical-security assessment method undefined and inconsistent with cloud-only sub-processors.Add: “For cloud-only sub-processors, third-party SOC 2 / ISO 27001 attestations satisfy this requirement; for any sub-processor handling physical media or printed records, a written attestation or facility questionnaire is required.”
  • Same-PR clusters. F2, F15, F16, F17 (NLRA §7 + off-duty + at-will + non-discrimination listing) ride together as one labor-and-employment redline patch with GC review. F44 + F45 + F33 (deployment + vulnerability SLAs) reconcile in one PR. F22 + the existing open-gap #15 (DTSA §1833(b) notice) ride together. F46 + F34 reconcile the “customer data in non-production” rule across Data Management, Operations Security, and Secure Development in one PR.
  • Single mechanical edits. F4, F8, F11, F13, F14, F32, F35, F38, F41, F47, F48 — batch into one cleanup PR.
  • Critical-path before external publication. F2, F15, F39 (phantom internal audit), F42 (DPO designation sweep), F44/F45 (absolute deployment commitment + conflicting SLAs).
  • Should ride into the Q3 2026 Counsel Review Package as the next-quarter open-items list.
Open a PR removing the (todo) markers from the linked file:
  1. git checkout -b finalize/<area>-<short-description>
  2. Open the file shown above and replace every (todo: ...) for that section with the real value.
  3. Commit with a message like Finalize secrets-management rotation cadences.
  4. Open a PR; tag the responsible reviewer (CISO, Legal, IT, Engineering, People Ops as appropriate).
  5. Once merged, the next regeneration of this page will show the item resolved.
Convention: when a value depends on a decision that hasn’t been made yet (e.g., audit-firm choice), don’t invent it — leave the (todo) marker and document the blocker in this page’s group description so the right person sees it.
For auditors / customers: this page is the company’s own punch-list and is not part of any control statement. Open (todo) markers indicate areas where the surrounding policy has been drafted but a Neuroscale-specific value (a tool name, a URL, a date, a numeric SLA) is still pending. They do not indicate gaps in the control — see Compliance Frameworks and Roles & Personnel for the live control map.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani