Register Owner: CISO
Effective Date: May 8, 2026
Reviewed: On each policy or control change; reconciled continuously with Vanta
Next Review: May 8, 2027
The Neuroscale-side controls inventory referenced from the Configuration Hardening page (which describes AWS shared-responsibility) and from Compliance Frameworks.
Operational mirror: the live, test-driven inventory is in Vanta. This inventory is the human-readable summary referenced from policies. It is reconciled with Vanta whenever a new policy is approved or a control is added/retired.

How the inventory is structured

ColumnMeaning
TSCSOC 2 Trust Service Criteria reference (CC1.x – CC9.x for Common Criteria; A/C/PI/P for the additional criteria). Multiple criteria may apply to one control. Privacy (P1–P9) and Availability (A1) / Confidentiality (C1) rows are marked (deferred) for the initial Type II window per the Compliance Frameworks scope — they activate in the first subsequent window.
DomainHigh-level grouping (Access, Change, Crypto, IR, etc.).
Control statementThe thing Neuroscale is committing to do.
OwnerTier-1 executive responsible (per Roles & Responsibilities).
Source policy / procedureThe document where the control is codified.
Evidence sourceWhere the auditor will find evidence (Vanta test, log query, signed acknowledgement, ticket, etc.).
CadenceHow often the control runs / is tested.
Vanta control IDThe corresponding Vanta control ID(s) — Vanta’s human-readable externalId (e.g. IAC-7). Back-filled 2026-06-14 from the live Vanta SOC 2 control set; where several Vanta controls operate one inventory row, all are listed. These are cross-reference IDs; confirm against Vanta (and add any controls created after 2026-06-14) at the final pre-fieldwork reconciliation.

Control inventory

TSCDomainControl statementOwnerSourceEvidence sourceCadenceVanta ID
CC1.1GovernanceThe Code of Conduct establishes integrity and ethical-values commitments; all workforce members acknowledge it at hire and on annual re-ack.CHRO + CEOCode of Conduct, HR Security PolicyVanta ack records (Code of Conduct + 24 other policies)At hire + annualHRS-3
CC1.2GovernanceNeuroscale is member-managed with no board; independence from management is demonstrated via documented compensating controls. Board and audit committee formally deferred per the Audit Committee Deferral Memo 2026; independent oversight is operated by VGC LLP (outside counsel) through quarterly review of the risk register and ISMS Management Review minutes, per-incident breach-determination review, conflicted-whistleblower-report routing, and annual independent governance review. No-board document evidence is the Executive Management Ethical Survey 2026.CEO + GCAudit Committee Deferral Memo 2026; Executive Management Ethical Survey 2026Signed memo in Risk Register; VGC quarterly review memos in SharePoint > SOC 2 > Governance; completed ethics surveyQuarterly + annual governance reviewGOV-1, GOV-2, GOV-4
CC1.3GovernanceOrganizational structure and reporting lines are documented; role concentration is disclosed with compensating-controls escalation.CEO + CHRORoles & Responsibilities, Roles & PersonnelRoles & Personnel page (versioned); HRIS reporting structureQuarterly reviewGOV-7, GOV-8
CC1.4HRWorkforce members are screened at hire (tiered Checkr); receive security-awareness training at hire and annually; acknowledge all policies.CHRO + CISOHR Security Policy, Background Checks, Security Awareness TrainingCheckr report on file; Vanta training + ack recordsAt hire + annualHRS-1, HRS-5, SAT-1
CC1.5GovernanceAn anonymous reporting channel routes independently of management. GlobaLeaks hosted on a Vultr account owned by the CEO personally (CTO/CISO excluded from root); reports concerning the CEO/CTO/CISO route to VGC LLP.CEO + GCWhistleblower Policy, Audit Committee Deferral Memo 2026GlobaLeaks audit log; VGC investigation files; quarterly report-volume summary at each ISMS-MRContinuous + per reportCPL-2
CC2.2CommunicationAll policies are published, acknowledged by every workforce member, and updated through versioned PRs. Material changes trigger re-acknowledgement.CISO + CHROHow to use these docs, HR Security PolicyVanta ack records; GitHub PR historyContinuous + annual re-ackGOV-11
CC2.3CommunicationExternal communications (customer notices, breach notices, sub-processor changes) follow documented procedures with named approvers.GC + CEOIncident Response Policy, Customer Communications, Outbound Communications PolicyBreach-notice records; customer-notice records; Sub-processor List version historyPer eventGOV-6, PRM-1
CC3.1 / CC3.2RiskRisks are identified, assessed, and treated through an annual formal risk assessment and quarterly risk-register reviews; methodology is documented (5×5 matrix, 4 treatment options, NIST 800-30).CISORisk Management Policy, Annual Risk AssessmentAnnual risk-assessment report (/registers/annual-risk-assessment/<YYYY>.mdx); Vanta risk registerAnnual + quarterlyRSK-1, RSK-2, RSK-3
CC4.1 / CC4.2MonitoringControl performance is monitored through continuous (Vanta), quarterly (risk-register, access-review), and annual (ISMS Management Review, pen-test, risk-assessment) reviews.CISO + CEOISMS Management Review, Operations Security, Vulnerability ManagementISMS-MR minutes (/registers/management-review-minutes/); pen-test report; risk-assessment report; Vanta dashboardQuarterly ISMS-MR; annual pen-testIAO-1, IAO-2
CC5.1 / CC5.2Control activitiesSeparation-of-duties controls are documented (production-release approval, background-check adjudication, cryptographic-root operations, ISMS-MR approval). Where CTO and CISO are held by one individual at current scale, the dual-presence requirement is satisfied by the same approver signing both capacities and by CEO independent attestation within 5 business days per the role-concentration compensating controls. Applied to: cryptographic-root operations (key rotation), Vault access review, DR-test Vault step, and ISMS-MR ratification.CEO + CTO/CISO (combined)Roles & Responsibilities → Role concentration, System Description §7.2, Key Rotation procedure, ISMS Management Review procedureGitHub prevent-self-review enforcement; ISMS-MR minute sign-offs (CTO/CISO + GC + CEO); CEO-attestation rows on key-rotation, access-review, and DR-test evidence filesContinuous + per eventCHG-2, GOV-10
CC6.1 / CC6.2AccessAll workforce access is provisioned through Rippling SSO with role-based bundles; provisioning + deprovisioning follows documented SLAs.CISO + CHROAccess Control Policy, Access Matrix, Access Management, OffboardingVanta IdP integration; Rippling deprovisioning logs; Linear access ticketsContinuous + quarterly reviewIAC-1, IAC-2, IAC-9, IAC-12
CC6.1 / CC6.2 / CC6.3AccessPrivileged access requires named approval; quarterly access review covers user, admin, and service accounts; remediation within 5 business days of sign-off.CISOAccess Control Policy, Access ReviewsPer-system reviewer attestation; signed sign-off PDF in SharePoint > SOC 2 > Access Reviews > <YYYY-Q?>QuarterlyIAC-3, IAC-7, IAC-9
CC6.2 / CC6.3AccessTerminated user access is revoked on the tiered SLA in the Access Control Policy: within 1 hour for involuntary / for-cause / security-incident separations; by end of last business day for voluntary departures; same business day for privilege-reducing role changes; 24-business-hour outer ceiling for any edge case with CISO sign-off. Highly privileged credentials are rotated immediately on separation.CISO + CHROOffboarding, Access Control Policy → Removal & adjustmentRippling deprovisioning timestamps; offboarding ticket close-out timeContinuousIAC-8
CC6.5AssetDecommissioned media is disposed via certified destruction with a signed Certificate of Destruction.CISORecords Disposal procedure, Asset Management PolicyDisposal log + CoDs in SharePoint Evidence LibraryPer disposalAST-1
CC6.6LoggingMonthly admin-activity review (CISO + CTO substantive walk) and weekly log review (CISO) with CEO independent attestation co-signature on each note.CISO + CTO + CEOLog Review procedure/registers/log-reviews/<YYYY>/admin/<YYYY-MM>.mdx; /registers/log-reviews/<YYYY>/<isoweek>.mdxWeekly + monthlyMON-1, MON-2
CC6.7CryptoCustomer data is encrypted at rest (AES-256) — AWS KMS-managed for AWS-resident services; Vultr platform-managed encryption for Vultr-resident services — and in transit (TLS 1.2+). For Confidential customer data on either cloud, Neuroscale’s standard architecture additionally applies a Vault Transit application-layer envelope wrap (Neuroscale-managed keys, never leave Vault); a CISO-maintained exception list enumerates workloads (e.g., transactional email, async workflow payloads, third-party-AI request bodies, log payloads) that rely on provider-managed encryption alone where the Vault Transit wrap is incompatible with the workload’s I/O model. The exception list is reviewed at each ISMS Management Review.CISOCryptography PolicyVanta AWS configuration tests; Vultr platform-encryption attestation; Vault Transit audit-device logs (Better Stack + AWS S3 Object Lock); CISO-maintained Vault Transit Exception ListContinuousCRY-2, CRY-4, NET-1
CC6.7CryptoProduction secrets are stored in HashiCorp Vault (cross-cloud secrets-of-record for both AWS- and Vultr-hosted workloads; workload-bound auth via Vault AWS / Kubernetes / AppRole / OIDC methods — no long-lived static tokens in production workload paths) — no secrets in source. Two documented carve-outs: (a) non-production developer secrets reside in the Dashlane Developer vault; (b) the Vault root token is sealed (break-glass only) in the CISO + CTO Dashlane vaults and is not a workload credential.CTOSecrets ManagementGitGuardian / GitHub secret-scanning; CI checks; Vault audit-device logs to Better Stack and AWS S3 (Object Lock)ContinuousCRY-1, CRY-2
CC6.7CryptoKeys are rotated per documented cadence (90-day classes natural; annual classes per the Key Rotation Plan — 2026 with at least one rotation per class inside the initial Type II window).CISO + CTOCryptography Policy → Key rotation cadence, Key Rotation procedure, Key Rotation Plan — 2026Vault audit-device log; per-rotation evidence at /registers/key-rotations/<YYYY-MM>-<class>.mdxPer cadence classCRY-2
CC6.7 + CC6.4AssetAll workforce devices are managed (Rippling MDM) and encrypted (FDE) per the device policy.CISOAsset Management Policy, Information Security Policy → Device policyRippling MDM compliance reportsContinuousMDM-1
CC7.1Vuln MgmtVulnerability scans run at least quarterly with severity-based remediation SLAs (Critical 7d / High 30d / Medium 60d / Low 90d); risk-acceptance capped at 2× SLA without CEO approval.CISO + EngineeringVulnerability Management, Operations Security → Technical vulnerability managementSemgrep / CodeQL / Gitleaks / Snyk / Trivy reports (GitHub Advanced Security); Linear “Vulnerabilities” board; annual Horizon3 pen-test; risk-acceptance logContinuous + quarterly reviewOPS-1, VPM-1, VPM-2
CC4.1 / CC7.1Vuln MgmtIndependent penetration test (vendor: Horizon3) — first engagement scheduled in-window, annual thereafter — with retest of Critical/High findings within 30 days of remediation.CISOVulnerability Management, Operations SecurityPen-test report due from the in-window Horizon3 engagement (fieldwork 2026); retest closure evidence to followFirst engagement in-window per Phase 3.3 / 3.4; annual thereafterIAO-2
CC7.2 / CC7.3LoggingProduction systems (AWS and Vultr) emit security events to Better Stack with tiered retention; AWS infra logs flow through CloudWatch + S3 Object Lock; Vultr infra logs forward to Better Stack with audit copies in AWS S3 Object Lock.CTOLogging & Monitoring, Operations Security → Log retention tiersBetter Stack ingestion + retention configuration; CloudWatch + S3 Object LockContinuousMON-1, MON-2
CC7.3LoggingCold-log retrieval SLA: 4 hours for P0/P1 incidents (S3 Standard-IA / Glacier Instant Retrieval); 2 business days for standard requests. First annual drill scheduled by 2026-05-31 per Readiness Timeline Phase 1.8; annual cadence thereafter.CTOLogging & Monitoring → Cold-log retrieval SLARetrieval drill at /registers/log-reviews/<YYYY>/retrieval-drill-<YYYY-MM>.mdx (first: 2026-05); per-incident retrieval logsPer incident + annual drillMON-2
CC7.4 / CC7.5IRAn Incident Response Plan exists and assigns roles; severity-based escalation, RCA on every verified P0, breach-determination by CEO + GC, customer notice per contracts/law.CISO + GC + CEOIncident Response PolicyLinear “Security Incidents” project; RCA documents; breach-notice recordsPer incident; annual tabletop deferred to subsequent windowIRO-1, IRO-2, IRO-3
CC8.1ChangeCode changes require peer review and a passing CI build; production deployments use change-approval ticketing with separation-of-duties enforced via GitHub prevent-self-review; emergency changes follow the emergency-change procedure with retrospective within 24 hours.CTOCode Review, Change Management, Secure Development Policy, Operations Security → Change managementGitHub branch-protection settings; PR history; GitHub Actions deploy logs; Linear ticket trail; emergency-change retrospective ticketsContinuous + per emergencyCHG-1, CHG-2, CHG-3
CC9.1BCPA backup-restore test (per data store) is performed at least quarterly per the DR & Backup-Restore Test procedure.CTO + CISOBusiness Continuity Policy, RTO/RPO MatrixPer-quarter restore-test ticket in Linear; per-store evidence in SharePoint Evidence LibraryQuarterlyBCD-2, GOV-5
CC9.1BCPA full DR exercise (tabletop or live) is performed at least annually, with at least one live failover per two-year period. First cycle deferred to subsequent window per annual-controls first-cycle treatment.CTO + CISOBusiness Continuity Policy, DR & Backup-Restore Test procedureAnnual after-action report; SharePoint Evidence LibraryAnnualBCD-1, BCD-2
CC9.2VendorAll third parties with Confidential-data or production access undergo a tiered risk assessment before contract signature; High-tier vendors are re-reviewed annually per the Vendor Annual Review Schedule.CISO + CFOThird-Party Management Policy, Vendor Risk Assessment procedure, Vendor InventoryVendor Inventory; signed agreements; SOC 2 / DPA on file; Annual Review Notes in SharePoint Evidence LibraryContinuous + annual (High tier) / biennial (Medium tier)TPM-1, TPM-2
A1.1 / A1.2 / A1.3 (deferred to subsequent window)AvailabilityCustomer-committed SLA, uptime monitoring, capacity planning, and recovery time/point objectives. Out of scope for the initial Type II window per the Compliance Frameworks scope decision; to be stood up before the first subsequent Type II window opens 2026-09-22.CTORTO/RPO Matrix, Business Continuity PolicyBetter Stack uptime status; capacity-planning records; DR test resultsDeferred
C1.1 / C1.2 (deferred to subsequent window)ConfidentialityCustomer-data confidentiality protections (classification, handling, retention, deletion-on-termination within 60 days). Out of scope for the initial Type II window per the Compliance Frameworks scope decision; per-workload C1.x evidence to be stood up before the first subsequent Type II window.CISO + GCData Management Policy, Cryptography Policy, Records Retention ScheduleData Retention Matrix; deletion-job logs; encryption evidenceDeferred
P1 – P9 (deferred to subsequent window)PrivacyPrivacy notice (P1), choice/consent (P2), collection (P3), use/retention/disposal (P4), access (P5), disclosure (P6), quality (P7), monitoring/enforcement (P8), management commitment (P9). Out of scope for the initial Type II window per the Compliance Frameworks scope decision; existing privacy procedures (Data Subject Rights, DPIA, Cross-Border Transfers, Records Disposal, Customer Data Export, Re-identification Audit) operate but are not mapped to P-criteria in this report. To be mapped before the first subsequent Type II window.GC (Privacy Officer + DPO)Data Management Policy, Employee Privacy Policy, procedures aboveDSR Tracker (Linear); DPIA Register; RoPA; Disposal LogDeferred

Out-of-scope today

  • FedRAMP / DoD IL5 — near-term roadmap; not a current commitment. Federal customers (across civilian, defense, and law-enforcement missions) do not currently require FedRAMP for the services Neuroscale provides; DoD IL5 is anticipated as scope expands. See Compliance Frameworks → FedRAMP & DoD IL5 (near-term roadmap).
  • PCI DSS — no cardholder data; not in scope.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani
1.1June 3, 2026Refinements to the CC5, CC6.7, and CC7.3 rows.Cameron WolfeIshan Jadhwani, CEO
1.2June 14, 2026Populated Vanta control-ID references for in-scope rows; clarified the termination-access SLA (CC6.2).Cameron WolfePending