Review Actions

This page consolidates findings from three reviews of these docs:

1. Improvements & inconsistencies review (full report at /tmp/ns-policies-review.md)
2. General-counsel legal review (full report at /tmp/ns-legal-review.md)
3. Compliance calendar build (cadence inconsistencies surfaced as a side-effect)

Each item has been triaged into Apply now, Decide & apply, or New work. Items already remediated in this iteration are listed at the bottom.

​

Status

The 20 recommended additional policies & procedures from the legal review have all been drafted and integrated as of this iteration. Public-vs-internal separation is now structurally enforced — see the Public tab. The Roles & Personnel matrix now serves as the canonical role-of-record. The list of items below is what remains for the GC + CISO + CHRO to triage and finalize.

​

Entity name (resolved 2026-05)

Operating entity is NEUROSCALE LLC, a Virginia limited liability company. All public-facing legal docs and templates use this entity. ToS governing law set to the Commonwealth of Virginia (venue: state and federal courts in Virginia, including the U.S. District Court for the Eastern District of Virginia). The currently published neuroscale.ai/privacy and neuroscale.ai/terms sign as “Neuroscale, Inc.” (Delaware corporation) — those public pages need to be updated to match the LLC entity and Virginia governing law when this docs version is published.

​

Top 4 to address before any external publication

1. Replace the Google Form whistleblower channel with a true anonymous hotline (EthicsPoint, NAVEX, or Whispli) — current setup creates SOX §806 / Dodd-Frank §21F / SEC Rule 21F-17 exposure and is logged by Google. References to update: index.mdx, policies/code-of-conduct.mdx, policies/information-security.mdx, legal/whistleblower.mdx.
2. Add a breach-notification timing matrix to Incident Response. Required: 50-state breach laws, GDPR Article 33 (72hr to supervisory authority, undue delay to data subjects), SEC Form 8-K Item 1.05 (4 business days from materiality determination), and customer-contractual notification windows. Without this matrix, the IR plan is incomplete for SOC 2 Type II.
3. Code of Conduct non-discrimination clause (policies/code-of-conduct.mdx:24,34) needs to track Title VII / state-equivalent protected classes verbatim (or use the standard “race, color, religion, sex (including pregnancy, sexual orientation, gender identity), national origin, age, disability, genetic information, veteran status, or any other characteristic protected by applicable federal, state, or local law”), add ADA reasonable-accommodation language, and reconsider the weapons policy in light of state parking-lot gun statutes (TX, TN, FL, MS, OK, etc.).
4. Add at-will / reservation-of-rights / SEC §21F-17 carveout language as a footer on every policy. The current “progressive discipline” reference in policies/human-resources-security.mdx:62 can be construed to abrogate at-will employment.

​

Apply now (mechanical) — already done in this iteration

These were applied while writing this page and need no further action.

• “the the” duplications removed in business-continuity.mdx and incident-response.mdx.
• Duplicated #security-incidents channel in incident-response.mdx fixed.
• GitHub org reference settled on neuroscale in index.mdx.
• Risk-management hybrid title “the CISO (acting as CISO)” → “the CISO”.
• Roles & Responsibilities “Head of Security / CISO (todo: confirm title)” → “CISO”.
• Cryptography table duplicate column on row 1 (Web certificate) corrected.
• Endpoint-storage encryption: “128 or 256-bit” → “256-bit”.
• Web-filtering line in operations-security: Rippling (which is endpoint protection, not DNS filtering) clarified — Cloudflare Gateway noted as the DNS filter.
• Password minimum: 8 → 12 (with floor of 8 only where a system can’t be configured higher).
• Onboarding “Read all 15 [policies]” link points to the home page, which lists all 15.
• Code of Conduct ownership: CISO → CHRO.
• BC/DR roles: standardized on “CTO” (was inconsistent with “CTO”).
• Vulnerability remediation SLA: Critical 30d → 7d; High remains 30d.
• Incident Manager wording in incident-response.mdx reconciled with the on-call IRT model.

​

Decide & apply (need user judgment)

​

Process / scope

• SOC 2 Trust Services Criteria scope. handbook/compliance-frameworks.mdx lists Availability, Confidentiality, Processing Integrity, Privacy as (todo). Pick which to include in the report; this drives which controls become in-scope.
• Audit firm and report period. Same page.
• Bug bounty program — currently “private (invite-only)” placeholder; either confirm or remove from engineering/vulnerability-management.mdx.
• Tooling list final confirmation. The reviewer flagged that Better Stack, Slack, Rippling, Detectify, Material, and Checkr appear in the docs but weren’t on the canonical tool list. Confirm each.
• Access matrix wiki/spreadsheet. Linked from policies/access-control.mdx and procedures/access-management.mdx — needs a real link.

​

Numeric thresholds still placeholder

• Customer data deletion window (60 days?) in procedures/data-retention-matrix.mdx.
• Mobile-device theft reporting SLA.
• Helpdesk-response SLA in helpdesk/index.mdx.
• Account-provisioning SLAs in helpdesk/account-requests.mdx.
• Service-account key rotation cadence in engineering/secrets-management.mdx.
• Database password rotation cadence — same.
• DB-restore-test cadence beyond annual.
• Standard-access-bundle approver(s).

​

Legal-review high-priority redlines (from /tmp/ns-legal-review.md)

The legal review proposed verbatim redlines for 12 high-priority issues. Action: GC reviews the report, accepts/rejects each, then redlines are applied as a single PR. Examples:

• Absolute commitments to soften: “All TLS endpoints score A or better on SSL Labs” (policies/cryptography.mdx:43), “Maximum allowable time for access termination: 24 business hours” (policies/access-control.mdx:78), “No code is deployed to production without documented, successful test results” (policies/secure-development.mdx).
• FCRA adverse-action process missing in policies/human-resources-security.mdx.
• DTSA §1833(b) trade-secret immunity notice not present anywhere — without it, exemplary damages and attorneys’ fees forfeited.

​

Public-site reconciliation (2026-05)

After comparing the drafted Privacy Notice against the published neuroscale.ai/privacy and the drafted Terms of Service against neuroscale.ai/terms:

• Entity — NEUROSCALE LLC (Virginia LLC). Note: the currently published neuroscale.ai/privacy and neuroscale.ai/terms sign as “Neuroscale, Inc.” (Delaware corporation, Delaware governing law) — those public pages need to be updated to NEUROSCALE LLC (Virginia LLC, Virginia governing law) when this docs version is published.
• Effective dates — set to June 1, 2026 on the Privacy Notice, Terms of Service, and CA Applicant & Personnel Notice.
• Customer / User / Candidate persona structure — added to the Privacy Notice (the live notice has this; our prior draft did not).
• Backup-residue language — added: deletion requests may leave residual copies in encrypted backups until rotated.
• AEDT compliance disclosures — added explicit references to NYC LL 144, IL AI Video Interview Act, MD HB 1202, CO AI Act, and EU AI Act in the Privacy Notice (informational), Terms (Customer responsibility + bias-audit cooperation), and CA Applicant & Personnel Notice (Neuroscale’s own hiring use).
• AI-Outputs / no-sole-reliance — strengthened in both documents.
• No-training-on-Customer-Content — promoted to a contractual representation in the Terms (§7.3), not just a privacy disclosure.
• California Applicant & Personnel Notice — drafted at public/california-applicant-personnel-notice.mdx; CPRA-compliant separate notice for job applicants, employees, contractors.
• EU/UK Article 27 representatives — none appointed; documented as such (no placeholder).
• Carve-outs to liability cap — added in Terms §14.3 (payment, indemnity, confidentiality, IP/license-restrictions, non-excludable liability).
• No third-party beneficiaries — added to Terms §16 to block Candidate-side claims.
• Order of precedence — added (DPA → Order Form → Terms).
• Export control + sanctions reps — added (live ToS lacks these).
• Force majeure, publicity opt-out, assignment, severability, anti-corruption — added (live ToS lacks these).

The published Privacy Policy and Terms on neuroscale.ai should be replaced by the versions in this docs site once GC signs off on any redlines, and the entity / governing-law references on the live pages updated from “Neuroscale, Inc. (Delaware)” to “NEUROSCALE LLC (Virginia).”

​

Drafted in this iteration (2026-05)

The following 20 documents recommended by the legal review have been drafted. Each is a real, substantive doc — not a stub. Action: GC + relevant policy owners review each, accept/redline, set Effective Date, sign.

​

Internal policies (additional to the 15 core)

• AI Acceptable Use
• Trade Compliance
• Open Source & SBOM
• Insider Trading
• Workplace Violence
• Anti-Bribery
• Employee Privacy

​

Internal procedures

• Data Subject Rights
• DPIA
• Cross-Border Transfers
• Records Retention Schedule (formal — replaces the placeholder data-retention matrix)
• Background Checks
• Customer Data Export
• Records Disposal
• Customer Communications

​

Public-facing pages

• Trust Center
• Privacy Notice
• Subprocessor List
• Cookie Notice

​

Templates

• DPA Template
• Background-Check Consent
• Adverse-Action Letter

​

Plus the structural enhancements

• Incident Response Plan — added the multi-regime breach notification timing matrix.
• Compliance Frameworks — named officials confirmed.
• Roles & Personnel matrix — canonical roles, responsibilities, approval-authority, and cross-policy alias map.

​

Original “new work” list (now drafted — see above)

The legal review recommends 20 additional documents — all listed above as drafted. Triage as needed:

​

ISO 27001:2022 control gaps

From the inconsistencies review — these need procedure or owner assignment:

• A.5.7 Threat intelligence — referenced but no procedure / owner / cadence.
• A.5.20 Supplier agreements — no DPA template referenced.
• A.5.30 ICT readiness for BC — RTO/RPO matrix is (todo).
• A.7.13 Equipment maintenance — laptops/MDM equipment maintenance not addressed.
• A.8.16 Monitoring activities — no cadence for who reviews non-firing alerts and tunes thresholds.
• A.8.31 Separation of dev/test/prod — stated, but enforcement (separate AWS accounts? IAM boundaries?) not described.
• A.8.34 Protection during audit testing — not addressed.
• Annual IR tabletop — referenced in compliance-frameworks.mdx but no procedure exists.
• Tailscale — listed as a tool but no policy describes it as a network-security control.

​

How to use this page

This is a working tracker. As items are addressed:

1. Move them from the active section to the “applied” section above with a 1-line note.
2. If an item turns into a real policy or procedure, link it from here when published.
3. Items that are explicit GC decisions should be resolved by the GC and the CISO together before the SOC 2 audit fieldwork window opens.

Source reports — /tmp/ns-policies-review.md and /tmp/ns-legal-review.md — should be copied into Notion or SharePoint for permanent retention; /tmp is volatile.

​

Version history