Neuroscale is a US-based AI company whose products handle sensitive workloads for enterprise and government customers. This Trust Center is the public surface of Neuroscale’s security, privacy, and compliance program — the same program reviewed by external auditors and by customer security teams under NDA.
For security questions: security@neuroscale.ai  ·  For privacy questions: privacy@neuroscale.ai  ·  For legal: legal@neuroscale.ai
Effective date: May 9, 2026  ·  Last updated: May 9, 2026

Compliance attestations

Controls are designed against recognized industry frameworks and submitted to independent third-party assessment. Reports and attestations are available to customers and prospects under NDA.

SOC 2 Type II

In progress. The initial Type II report (observation window June 22 – September 22, 2026) covers the Security criterion only; Availability, Confidentiality, and Privacy are scoped into the first subsequent Type II report (observation window September 22, 2026 – September 22, 2027), and Processing Integrity is not in scope in any window. Type I observation date and the initial Type II observation window open in parallel on June 22, 2026. Initial Type II observation period: June 22, 2026 – September 22, 2026 (three months). Subsequent Type II observation periods run on a rolling 12-month basis, gap-free against the prior window — first subsequent window September 22, 2026 – September 22, 2027. Auditor: Advantage Partners. Reports are made available to customers and prospects under NDA — request a copy.

ISO/IEC 27001:2022

In progress. Information Security Management System aligned to the 2022 standard.

CCPA / CPRA

Neuroscale processes personal data consistent with CCPA / CPRA requirements. See the Privacy Notice for California-specific disclosures and rights-exercise procedures.

GDPR

Neuroscale processes personal data on lawful bases under the GDPR and offers a Data Processing Addendum incorporating the Standard Contractual Clauses where applicable.

FedRAMP / DoD IL5

Near-term roadmap. Not currently authorized.

Security highlights

  • Encryption at rest — AES-256 across production data stores. Application-layer envelope encryption is performed via HashiCorp Vault Transit using Neuroscale-managed keys held in Neuroscale’s self-hosted Vault cluster; key material does not leave Vault. Cloud-native at-rest encryption from each provider (AWS KMS for AWS-resident services; Vultr platform encryption for Vultr-resident services) is layered beneath the application-layer wrap.
  • Encryption in transit — TLS 1.3, or TLS 1.2 with strong cipher suites where 1.3 is unavailable, on all data traversing public networks.
  • Multi-factor authentication — enforced for all employee access to production and corporate systems.
  • Least-privilege access — role-based access control, just-in-time elevation for production, and quarterly access certification reviews.
  • Single sign-on — SAML and OIDC SSO available to customers on eligible plans.
  • Logging and monitoring — security and application telemetry centralized, retained, and reviewed; alerts route to a 24x7 on-call rotation.
  • Third-party penetration test — Neuroscale has engaged Horizon3 for its first independent penetration test, with fieldwork scheduled in connection with the initial SOC 2 window (June–July 2026) and an annual cadence thereafter; a summary letter is made available under NDA on completion.
  • Vulnerability management — continuous scanning, prioritized remediation SLAs, and closure tracking.
  • Vulnerability disclosure (private bug bounty planned) — Neuroscale operates coordinated vulnerability disclosure and intends to operate a private, invitation-only bug-bounty program. Researchers may submit reports or request an invitation at security@neuroscale.ai; the disclosure SLA and safe-harbor commitments are published on the Vulnerability Management page.
  • 24x7 incident response — paged on-call coverage, defined severity levels, and customer-notification commitments fixed in contract.

Privacy highlights

Neuroscale’s data-handling practices, the categories collected, the purposes of processing, and the legal bases relied on are set out in the documents below.

Privacy Notice

Categories of data, purposes, legal bases, data-subject rights, and rights-exercise procedures.

Subprocessor List

Current third parties that process customer personal data on Neuroscale’s behalf.

Cookie Notice

Cookies and similar technologies used on Neuroscale properties.
A Data Processing Addendum is available to customers and incorporates the EU Standard Contractual Clauses and the UK Addendum where required for international transfers. Requests should be directed to legal@neuroscale.ai.

Customer data

Customer-uploaded content — resumes, ATS data, prompts, and other Customer-submitted material — is logically segregated and access is bounded to the tenant that owns it. Use of Customer Content is governed by the executed Master Agreement and Data Processing Addendum. Where Customer Content is used to train, fine-tune, evaluate, or improve Neuroscale’s own AI models, it is first transformed into Deidentified Data under Neuroscale’s Deidentification Standard: direct-identifier redaction, quasi-identifier generalization, k-anonymity ≥ 10, sensitive-attribute removal, differentially-private training, and a post-training reidentification audit (see AI Acceptable Use Policy → Deidentification standard). Raw Customer Content is never used in training; only the resulting Deidentified Data is, and this applies to every subscription tier. Tier-based controls govern training-use, not deidentification: Free-Tier Customers cannot opt out of training-use; paid-tier Customers may opt out of training-use via the Customer Admin settings or by writing to privacy@neuroscale.ai. Individual Candidates may also request opt-out from training by writing to privacy@neuroscale.ai; this operates directly where Neuroscale is the controller (the Sourcing Database and free-tier data) and, for Candidate data inside a paid Customer workspace, is routed to the Customer as controller, consistent with Privacy Notice §11. Neither Customer Content nor Deidentified Data is provided to any third-party AI provider for that provider’s training. Neuroscale is not a data broker under California, Texas, Vermont, Oregon, or analogous state laws. Third-party sub-processors are enumerated on the Subprocessor List.

AI transparency, bias-audit, and disparate-impact testing

Customer-facing AI features rely on third-party foundation models from approved enterprise providers (Anthropic, OpenAI, xAI, Cerebras), each operating under contractual prohibitions on training on Neuroscale-submitted inputs. The procedures and public notices below govern any Neuroscale-trained or Neuroscale-fine-tuned model that enters production; the current operational status is recorded under Operational status at the foot of this page. The following resources are published for Customers, Candidates, and regulators:
  • The AI Training-Data Transparency Notice — per-model summaries of training-data sources, deidentification method, reidentification-audit result, and bias-audit summary, satisfying California AB 2013 (Cal. Civ. Code §§22610 et seq., effective Jan 1, 2026) and the Colorado AI Act developer-side public statement (C.R.S. §6-1-1703(1)(a)).
  • The Employment-AI Bias-Audit and Disparate-Impact Testing Procedure — the developer-side procedure governing any feature used in consequential employment decisions: independent-auditor sign-off, 4/5ths adverse-impact testing per the EEOC and the Uniform Guidelines on Employee Selection Procedures (29 C.F.R. §1607), subgroup performance parity, and quarterly re-audit, in support of NYC Local Law 144, the Colorado AI Act, Illinois HB 3773, Texas TRAIGA, and analogous state laws.
  • The Reidentification Audit Procedure — corpus-level reidentification testing (k-anonymity verification, linkage attack, singling-out test) and model-level memorization testing (membership-inference, regurgitation probing, PII-leakage scan, adversarial extraction) executed before any production deployment of a Neuroscale-trained or Neuroscale-fine-tuned model.

Synthetic media of authenticated users

Neuroscale offers a customer-facing capability that enables an authenticated user to generate AI-synthesized video, audio, and lip-synced media of themselves. The feature processes biometric identifiers (voice prints, face geometry) and produces media depicting a real, identity-verified individual, and operates under a defense-in-depth control set documented in the AI Acceptable Use Policy → Synthetic media of persons and in the corresponding feature card of the AI Model Registry. The control set a Customer or end-user may rely on is summarized below.
  • Self-only synthesis. The feature synthesizes only the authenticated, identity-bound user. It does not generate media depicting any third party.
  • In-person, crew-supervised capture. Source material is captured by Neuroscale or authorized production crew in a controlled in-person filming session. User-uploaded video, audio, and photographs are not accepted as source material. Identity is verified at the start of the session (government-issued ID or equivalent), and consent is captured on a signed release at the same session.
  • AI-generated-content labeling and provenance. All outputs carry a persistent, visible AI-generated label at the point of display and an embedded provenance signal (C2PA-style cryptographic manifest where supported) on file export, in support of California SB 942, the Utah AI Policy Act, and EU AI Act Art. 50(4) for end-users in the EU.
  • State biometric-privacy compliance. Capture, storage, and processing operate consistent with the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), the Washington biometric law (RCW 19.375), and analogous regimes. The written biometric program — consent form, retention schedule, destruction schedule, and third-party-disclosure restrictions — is maintained by the General Counsel.
  • Right-of-publicity and digital-replica compliance. The feature operates consistent with the Tennessee ELVIS Act (T.C.A. §47-25-1101 et seq.), California AB 2602, New York Civil Rights Law §50-f, and analogous state digital-replica regimes.
  • Prohibited uses. Outputs may not be used to depict an opposing candidate, election official, or non-consenting third party; to convey false voting-logistics content (time, place, manner, eligibility); to misrepresent the synthetic output as personally recorded by the depicted individual; to produce non-consensual intimate imagery (state NCII laws and the federal DEFIANCE Act framework); for fraud, identity theft, or impersonation; to synthesize minors (capture sessions exclude individuals under 18); or for any unlawful purpose. Consenting self-synthesis is permitted; the state prohibition-tier election-deepfake statutes (Minnesota Stat. §609.771; Texas Elec. Code §255.004) attach where third-party likeness or candidate-injury intent is present. These prohibitions are incorporated into the Terms of Service and the filming-session release.
  • Political and campaign customer use. The feature supports lawful self-synthesis by political candidates, officeholders, and campaigns of their own likeness with their consent. The Customer is responsible for (i) TCPA prior express consent of each recipient before delivering generated content via voice or SMS channels, consistent with the FCC’s February 8, 2024 Declaratory Ruling (FCC 24-17) on AI voice-cloning; (ii) FEC public-communication disclaimers under 52 U.S.C. §30120 for any federal-candidate or federal-committee communication; (iii) state political-disclosure compliance (e.g., NY Elec. Law §14-106, FL F.S. §106.145, CA AB 2355, and analogous regimes); and (iv) the no-third-party-likeness, no-voting-logistics, and no-personal-recording-misrepresentation prohibitions above. See Terms of Service §8.9(h).
  • Abuse monitoring and takedown. The feature enforces generation rate limits, abuse-pattern detection, and a published takedown workflow. Reports may be sent to security@neuroscale.ai or abuse@neuroscale.ai.
  • DPIA. A Data Protection Impact Assessment under GDPR Art. 35(3)(b) and analogous state mandates is required for the feature and is being filed under the DPIA Procedure; a non-confidential summary will be made available on request under NDA via trust@neuroscale.ai once filed.

EU and UK readiness

Neuroscale’s documentation set is built to support EU and UK rollout when commercial readiness aligns with the regulatory build-out. As of the effective date of this page, no Neuroscale feature has been placed on the EU market. The General Counsel re-confirms tier and obligation set before any EU launch and on each material feature change. The applicable framework includes:
  • EU AI Act (Regulation (EU) 2024/1689) — Neuroscale’s recruitment-AI features are high-risk under Annex III(4) (employment / worker management). Neuroscale, as the Provider, performs the obligations of Arts. 9–17 (risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness/cybersecurity, quality-management system) and the conformity-assessment, CE-marking, EU-database-registration, and post-market monitoring obligations of Arts. 43–73 before placement on the EU market. Where a Neuroscale-trained model qualifies as a general-purpose AI model, the Art. 53(1)(d) “sufficiently detailed summary of training content” attaches to the per-model row in the AI Training-Data Transparency Notice.
  • GDPR and UK GDPR — Neuroscale operates as Processor under DPA Section 4 documented instructions. Customer-Controller obligations under Arts. 6, 9, 14, 22, 28, and 35 are addressed in the Privacy Notice and Section 7 of the Terms of Service; developer-side technical inputs for Customer DPIAs are produced by the Employment-AI Bias-Audit Procedure and the Reidentification Audit Procedure.
  • Cross-border transfers — current reliance is on the Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, with supplementary measures, as described in the Cross-Border Transfers Procedure. Neuroscale’s own EU-U.S. Data Privacy Framework certification is in progress; until that certification is issued, transfers from the EEA / UK / Switzerland into Neuroscale’s US operations rely on the SCCs and the UK Addendum above, with supplementary measures. Where “DPF” appears against a sub-processor on the Subprocessor List, it refers to that sub-processor’s own DPF certification, not Neuroscale’s.
  • UK ICO guidance on AI in recruitment (2024) — UK-deployed features apply the ICO’s AI-and-data-protection toolkit; UK-specific candidate-notice templates form part of the Customer-facing toolkit referenced in the Employment-AI Bias-Audit Procedure → Customer-facing toolkit.

Vulnerability disclosure

Suspected security vulnerabilities in any Neuroscale product or service should be reported to security@neuroscale.ai. Encrypted submissions are accepted; request the PGP key in the initial message. Neuroscale commits to:
  • Acknowledge receipt within 2 business days.
  • Provide an initial assessment within 5 business days.
  • Update the reporter on remediation status through to closure.
  • Recognize researchers who report in good faith and follow this policy.
Researchers are asked to:
  • Allow Neuroscale a reasonable time to investigate and remediate before any public disclosure.
  • Avoid privacy violations, data destruction, service degradation, or interruption of service to other customers.
  • Test only against accounts the researcher owns or has explicit permission to test.
  • Refrain from exploiting a vulnerability beyond the minimum necessary to demonstrate it.
Neuroscale does not pursue legal action against researchers who report in good faith and follow this policy.

Sub-processors

A limited set of vetted third parties deliver portions of the service. The current list, the data each processes, and processing location are published on the Subprocessor List. Neuroscale provides at least 30 days advance notice before adding a new sub-processor that processes customer personal data (or 14 days where exigent circumstances exist), with a right to object as set out in the DPA. Customers may subscribe to change notifications via the Subprocessor List page.

Contact

TopicWhere
Report a security vulnerability or incidentsecurity@neuroscale.ai
Privacy questions, DSR / DSAR requestsprivacy@neuroscale.ai
Contracts, DPA, legal questionslegal@neuroscale.ai
Request SOC 2 report (under NDA)trust@neuroscale.ai
Neuroscale’s internal security and compliance program is documented and reviewed on a recurring cadence. Customers and prospects under NDA may request relevant excerpts of internal documentation as part of a security review.

Operational status

SubjectStatus
Neuroscale-trained or Neuroscale-fine-tuned model in productionNone as of May 14, 2026.
Customer-facing AI featuresPowered by third-party foundation models from approved enterprise providers (Anthropic, OpenAI, xAI, Cerebras), each operating under contractual prohibitions on training on Neuroscale-submitted inputs.
This page is updated within 30 days of any material change to operational status above.