Register Owner: CTO and General Counsel
Effective Date: May 8, 2026
Reviewed: On each material AI feature or model review and at least annually
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: On each material AI feature or model review and at least annually
Next Review: May 8, 2027
Operational mirror: the working drafts and underlying reviewer comments live in the relevant DPIA / RFC tickets. This log is the durable summary referenced from the policy.
Review entry format
Each entry captures:| Field | Notes |
|---|---|
| Date | Review-meeting date. |
| Feature or model | Customer-facing name + the responsible product owner. |
| Trigger | Launch / material change / model update / regulatory trigger. |
| DPIA reference | Link to the DPIA in the DPIA Register where one was required. |
| Model registry reference | Link to the AI Model Registry entry. |
| Decision | Approved / Approved with conditions / Not approved / Deferred pending information. |
| Conditions | If approved with conditions, the specific conditions and the owner for each. |
| Re-review date | Default 24 months; sooner on material change. |
| Reviewers | Names + sign-off date. |
Active review entries
| Date | Feature / model | Trigger | DPIA | Model registry | Decision | Conditions | Re-review |
|---|---|---|---|---|---|---|---|
| 2026-05-07 | Approved AI provider stack — internal and customer-facing production use — Anthropic Claude (API + Team / Enterprise), OpenAI ChatGPT (Enterprise + API), xAI Grok (API + Enterprise), Cerebras (cerebras.ai inference). Owner: CTO. | Initial approval of the AI provider stack used in production SaaS features and as internal workforce tooling, per AI Acceptable Use → Approved tools. | DPIA required — opened in the DPIA Register covering customer-facing AI processing across all four providers. Subsequent customer-facing feature launches that introduce a new data category, processing purpose, or provider trigger a DPIA addendum. | AI Model Registry → Active models (customer-facing) | Approved with conditions | See Conditions tracker below. | 2028-05-07 |
Conditions tracker
Conditions attached to any “Approved with conditions” decision are tracked here until each is closed. An open condition past its target date is escalated to the CEO.| Decision date | Feature | Condition | Owner | Target date | Status |
|---|---|---|---|---|---|
| 2026-05-07 | AI provider stack | Enterprise / API tier only; consumer / free tiers prohibited (per AI Acceptable Use → Prohibited tools and uses). | CISO | Standing | Open — enforced via the IT-managed allowlist on Cloudflare Gateway and via product-side allowlist for customer-facing calls. |
| 2026-05-07 | AI provider stack | Signed enterprise data-processing terms (DPA + SCCs as needed) on file with each provider; no training on Neuroscale inputs. | CTO + GC | 2026-06-30 | In progress — collecting executed addenda. |
| 2026-05-07 | AI provider stack | SSO via Rippling where the provider supports it (workforce-side); production calls authenticate via per-environment API keys held in HashiCorp Vault (workload-bound auth — no long-lived static tokens). | CTO | 2026-06-30 | In progress. |
| 2026-05-07 | AI provider stack | All four providers listed on the public Sub-processor List; customer notification of new providers per the executed DPA Template notice obligations. | GC | Standing | Met — listed as of 2026-05-07. Subsequent additions trigger customer notice. |
| 2026-05-07 | AI provider stack | DPIA covering customer-facing AI processing maintained in the DPIA Register; re-reviewed every 24 months and on each material change. | GC + CTO | Standing | Open — DPIA owner records re-review dates. |
| 2026-05-07 | AI provider stack | Customer-facing AI surfaces carry the EU AI Act Art. 50 transparency disclosure (“you are interacting with an AI system”) in product UI for EU end-users. | CTO + GC | Pre-launch of EU-targeted features | Conditional — confirm before any EU launch. |
| 2026-05-07 | AI provider stack | No secrets or financial-record data sent to providers without an additional review. | CTO + GC | Standing | Open — enforced via product-side data-classification controls. |
Process
- Trigger. A product owner or engineering lead identifies a material AI launch / change. Material means: a new customer-facing model, a change in training data sources, a change in the third-party model provider, a change in the data Neuroscale sends to a third-party model, or any change that would affect the model card.
- Pre-review packet. The product owner prepares the model-card draft (per the AI Model Registry) and the DPIA (per the DPIA procedure) at least 5 business days before the review meeting.
- Review meeting. The AI risk-review group meets and discusses scope, data flows, residual risk, EU AI Act tiering, GPAI / systemic-risk applicability, and required customer disclosures. Outside counsel is engaged for non-trivial cross-jurisdictional questions.
- Decision. The General Counsel records the decision and conditions in this log. The CTO confirms launch dependencies. The CISO confirms safeguards.
- Communication. The product owner notifies the affected go-to-market and support teams; relevant disclosures are made to customers per their DPA.
- Re-review. Default cadence is 24 months. Earlier reviews are triggered by material changes (see Trigger above), regulatory developments, or incident learnings.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |