This page summarizes Neuroscale’s security program for the Arbi platform. For the formal control set and audit status, see the Trust Center; for data handling, see the Privacy Notice and DPA.

Infrastructure & network

  • The Arbi platform runs in hardened cloud infrastructure. All external traffic enters through Cloudflare (TLS in transit, web application firewall, and Cloudflare Access); production compute is not directly exposed to the internet and is reached only through a Cloudflare tunnel.
  • Production runs on self-managed Kubernetes (RKE2) with namespace isolation and network policies; data stores are reachable only from within the cluster network. Staging and production environments are separated.
  • Asynchronous processing is orchestrated through Temporal Cloud over mutually-authenticated TLS.

Encryption

  • In transit: TLS terminated at Cloudflare for all customer traffic; internal service-to-service connections use encrypted transport.
  • At rest: customer data stores are encrypted at rest; sensitive third-party credentials (e.g., connected email/LinkedIn accounts) are additionally encrypted at the application layer.
  • Key & secret management: production secrets are held in HashiCorp Vault, retrieved at runtime via short-lived GitHub-OIDC authentication — no long-lived deploy credentials.

Access control

  • Workforce and customer authentication is brokered by WorkOS (SSO / OIDC) with multi-factor authentication.
  • Access follows least privilege with role-based provisioning, named approval for privileged access, and quarterly access reviews. Access is revoked promptly on separation.
  • Administrative tooling is separated from the customer application and independently authenticated.

Secure development

Security is built into the SDLC, with automated checks in CI/CD on every change:
  • Static analysis (SAST): Semgrep; CodeQL code scanning.
  • Secret scanning: Gitleaks on every change.
  • Dependency / supply-chain (SCA): Snyk and GitHub Dependency Review; container scanning with Trivy.
  • Code review & separation of duties: required peer review with CODEOWNERS gating on sensitive areas (auth, encryption, billing, migrations); branch protection requires checks to pass.
  • Signed, attested releases: release images are signed (Sigstore/cosign, keyless) and ship with a CycloneDX SBOM.

Monitoring & incident response

  • Application traces and logs are centralized in Better Stack; security-relevant actions are recorded in an audit-event log.
  • Neuroscale maintains a documented Incident Response program with severity-based escalation, breach determination by executive + legal, and customer notification per contract and applicable law.

Data handling & AI

  • Customer and candidate data is processed to provide the service as described in the DPA and Privacy Notice.
  • AI features route through a managed gateway to enterprise model providers under contractual terms that prohibit training on customer data; Neuroscale’s own training-data and AI-transparency practices are described in the AI Training-Data Transparency Notice.

Compliance status

  • SOC 2: Neuroscale’s initial SOC 2 Type II observation window (Security criterion) opens June 22, 2026; the report will be available to customers under NDA once issued. (No SOC 2 report has been issued yet.)
  • ISO/IEC 27001:2022 and ISO/IEC 42001 (AI management): on the roadmap; the control set is built and maintained.
  • Privacy: Neuroscale processes personal data consistent with the GDPR and US state privacy laws (see the Privacy Notice).
Current attestation status is always reflected on the Trust Center.

Reporting a security issue

Email security@neuroscale.ai. We welcome coordinated disclosure of vulnerabilities.

Cross-references