Infrastructure & network
- The Arbi platform runs in hardened cloud infrastructure. All external traffic enters through Cloudflare (TLS in transit, web application firewall, and Cloudflare Access); production compute is not directly exposed to the internet and is reached only through a Cloudflare tunnel.
- Production runs on self-managed Kubernetes (RKE2) with namespace isolation and network policies; data stores are reachable only from within the cluster network. Staging and production environments are separated.
- Asynchronous processing is orchestrated through Temporal Cloud over mutually-authenticated TLS.
Encryption
- In transit: TLS terminated at Cloudflare for all customer traffic; internal service-to-service connections use encrypted transport.
- At rest: customer data stores are encrypted at rest; sensitive third-party credentials (e.g., connected email/LinkedIn accounts) are additionally encrypted at the application layer.
- Key & secret management: production secrets are held in HashiCorp Vault, retrieved at runtime via short-lived GitHub-OIDC authentication — no long-lived deploy credentials.
Access control
- Workforce and customer authentication is brokered by WorkOS (SSO / OIDC) with multi-factor authentication.
- Access follows least privilege with role-based provisioning, named approval for privileged access, and quarterly access reviews. Access is revoked promptly on separation.
- Administrative tooling is separated from the customer application and independently authenticated.
Secure development
Security is built into the SDLC, with automated checks in CI/CD on every change:- Static analysis (SAST): Semgrep; CodeQL code scanning.
- Secret scanning: Gitleaks on every change.
- Dependency / supply-chain (SCA): Snyk and GitHub Dependency Review; container scanning with Trivy.
- Code review & separation of duties: required peer review with CODEOWNERS gating on sensitive areas (auth, encryption, billing, migrations); branch protection requires checks to pass.
- Signed, attested releases: release images are signed (Sigstore/cosign, keyless) and ship with a CycloneDX SBOM.
Monitoring & incident response
- Application traces and logs are centralized in Better Stack; security-relevant actions are recorded in an audit-event log.
- Neuroscale maintains a documented Incident Response program with severity-based escalation, breach determination by executive + legal, and customer notification per contract and applicable law.
Data handling & AI
- Customer and candidate data is processed to provide the service as described in the DPA and Privacy Notice.
- AI features route through a managed gateway to enterprise model providers under contractual terms that prohibit training on customer data; Neuroscale’s own training-data and AI-transparency practices are described in the AI Training-Data Transparency Notice.
Compliance status
- SOC 2: Neuroscale’s initial SOC 2 Type II observation window (Security criterion) opens June 22, 2026; the report will be available to customers under NDA once issued. (No SOC 2 report has been issued yet.)
- ISO/IEC 27001:2022 and ISO/IEC 42001 (AI management): on the roadmap; the control set is built and maintained.
- Privacy: Neuroscale processes personal data consistent with the GDPR and US state privacy laws (see the Privacy Notice).