Register Owner: CISO
Effective Date: May 8, 2026
Reviewed: On each policy or control change; reconciled continuously with Vanta
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: On each policy or control change; reconciled continuously with Vanta
Next Review: May 8, 2027
Operational mirror: the live, test-driven inventory is in Vanta. This inventory is the human-readable summary referenced from policies. It is reconciled with Vanta whenever a new policy is approved or a control is added/retired.
How the inventory is structured
| Column | Meaning |
|---|---|
| TSC | SOC 2 Trust Service Criteria reference (CC1.x – CC9.x for Common Criteria; A/C/PI/P for the additional criteria). Multiple criteria may apply to one control. Privacy (P1–P9) and Availability (A1) / Confidentiality (C1) rows are marked (deferred) for the initial Type II window per the Compliance Frameworks scope — they activate in the first subsequent window. |
| Domain | High-level grouping (Access, Change, Crypto, IR, etc.). |
| Control statement | The thing Neuroscale is committing to do. |
| Owner | Tier-1 executive responsible (per Roles & Responsibilities). |
| Source policy / procedure | The document where the control is codified. |
| Evidence source | Where the auditor will find evidence (Vanta test, log query, signed acknowledgement, ticket, etc.). |
| Cadence | How often the control runs / is tested. |
| Vanta control ID | The corresponding Vanta control ID(s) — Vanta’s human-readable externalId (e.g. IAC-7). Back-filled 2026-06-14 from the live Vanta SOC 2 control set; where several Vanta controls operate one inventory row, all are listed. These are cross-reference IDs; confirm against Vanta (and add any controls created after 2026-06-14) at the final pre-fieldwork reconciliation. |
Control inventory
| TSC | Domain | Control statement | Owner | Source | Evidence source | Cadence | Vanta ID |
|---|---|---|---|---|---|---|---|
| CC1.1 | Governance | The Code of Conduct establishes integrity and ethical-values commitments; all workforce members acknowledge it at hire and on annual re-ack. | CHRO + CEO | Code of Conduct, HR Security Policy | Vanta ack records (Code of Conduct + 24 other policies) | At hire + annual | HRS-3 |
| CC1.2 | Governance | Neuroscale is member-managed with no board; independence from management is demonstrated via documented compensating controls. Board and audit committee formally deferred per the Audit Committee Deferral Memo 2026; independent oversight is operated by VGC LLP (outside counsel) through quarterly review of the risk register and ISMS Management Review minutes, per-incident breach-determination review, conflicted-whistleblower-report routing, and annual independent governance review. No-board document evidence is the Executive Management Ethical Survey 2026. | CEO + GC | Audit Committee Deferral Memo 2026; Executive Management Ethical Survey 2026 | Signed memo in Risk Register; VGC quarterly review memos in SharePoint > SOC 2 > Governance; completed ethics survey | Quarterly + annual governance review | GOV-1, GOV-2, GOV-4 |
| CC1.3 | Governance | Organizational structure and reporting lines are documented; role concentration is disclosed with compensating-controls escalation. | CEO + CHRO | Roles & Responsibilities, Roles & Personnel | Roles & Personnel page (versioned); HRIS reporting structure | Quarterly review | GOV-7, GOV-8 |
| CC1.4 | HR | Workforce members are screened at hire (tiered Checkr); receive security-awareness training at hire and annually; acknowledge all policies. | CHRO + CISO | HR Security Policy, Background Checks, Security Awareness Training | Checkr report on file; Vanta training + ack records | At hire + annual | HRS-1, HRS-5, SAT-1 |
| CC1.5 | Governance | An anonymous reporting channel routes independently of management. GlobaLeaks hosted on a Vultr account owned by the CEO personally (CTO/CISO excluded from root); reports concerning the CEO/CTO/CISO route to VGC LLP. | CEO + GC | Whistleblower Policy, Audit Committee Deferral Memo 2026 | GlobaLeaks audit log; VGC investigation files; quarterly report-volume summary at each ISMS-MR | Continuous + per report | CPL-2 |
| CC2.2 | Communication | All policies are published, acknowledged by every workforce member, and updated through versioned PRs. Material changes trigger re-acknowledgement. | CISO + CHRO | How to use these docs, HR Security Policy | Vanta ack records; GitHub PR history | Continuous + annual re-ack | GOV-11 |
| CC2.3 | Communication | External communications (customer notices, breach notices, sub-processor changes) follow documented procedures with named approvers. | GC + CEO | Incident Response Policy, Customer Communications, Outbound Communications Policy | Breach-notice records; customer-notice records; Sub-processor List version history | Per event | GOV-6, PRM-1 |
| CC3.1 / CC3.2 | Risk | Risks are identified, assessed, and treated through an annual formal risk assessment and quarterly risk-register reviews; methodology is documented (5×5 matrix, 4 treatment options, NIST 800-30). | CISO | Risk Management Policy, Annual Risk Assessment | Annual risk-assessment report (/registers/annual-risk-assessment/<YYYY>.mdx); Vanta risk register | Annual + quarterly | RSK-1, RSK-2, RSK-3 |
| CC4.1 / CC4.2 | Monitoring | Control performance is monitored through continuous (Vanta), quarterly (risk-register, access-review), and annual (ISMS Management Review, pen-test, risk-assessment) reviews. | CISO + CEO | ISMS Management Review, Operations Security, Vulnerability Management | ISMS-MR minutes (/registers/management-review-minutes/); pen-test report; risk-assessment report; Vanta dashboard | Quarterly ISMS-MR; annual pen-test | IAO-1, IAO-2 |
| CC5.1 / CC5.2 | Control activities | Separation-of-duties controls are documented (production-release approval, background-check adjudication, cryptographic-root operations, ISMS-MR approval). Where CTO and CISO are held by one individual at current scale, the dual-presence requirement is satisfied by the same approver signing both capacities and by CEO independent attestation within 5 business days per the role-concentration compensating controls. Applied to: cryptographic-root operations (key rotation), Vault access review, DR-test Vault step, and ISMS-MR ratification. | CEO + CTO/CISO (combined) | Roles & Responsibilities → Role concentration, System Description §7.2, Key Rotation procedure, ISMS Management Review procedure | GitHub prevent-self-review enforcement; ISMS-MR minute sign-offs (CTO/CISO + GC + CEO); CEO-attestation rows on key-rotation, access-review, and DR-test evidence files | Continuous + per event | CHG-2, GOV-10 |
| CC6.1 / CC6.2 | Access | All workforce access is provisioned through Rippling SSO with role-based bundles; provisioning + deprovisioning follows documented SLAs. | CISO + CHRO | Access Control Policy, Access Matrix, Access Management, Offboarding | Vanta IdP integration; Rippling deprovisioning logs; Linear access tickets | Continuous + quarterly review | IAC-1, IAC-2, IAC-9, IAC-12 |
| CC6.1 / CC6.2 / CC6.3 | Access | Privileged access requires named approval; quarterly access review covers user, admin, and service accounts; remediation within 5 business days of sign-off. | CISO | Access Control Policy, Access Reviews | Per-system reviewer attestation; signed sign-off PDF in SharePoint > SOC 2 > Access Reviews > <YYYY-Q?> | Quarterly | IAC-3, IAC-7, IAC-9 |
| CC6.2 / CC6.3 | Access | Terminated user access is revoked on the tiered SLA in the Access Control Policy: within 1 hour for involuntary / for-cause / security-incident separations; by end of last business day for voluntary departures; same business day for privilege-reducing role changes; 24-business-hour outer ceiling for any edge case with CISO sign-off. Highly privileged credentials are rotated immediately on separation. | CISO + CHRO | Offboarding, Access Control Policy → Removal & adjustment | Rippling deprovisioning timestamps; offboarding ticket close-out time | Continuous | IAC-8 |
| CC6.5 | Asset | Decommissioned media is disposed via certified destruction with a signed Certificate of Destruction. | CISO | Records Disposal procedure, Asset Management Policy | Disposal log + CoDs in SharePoint Evidence Library | Per disposal | AST-1 |
| CC6.6 | Logging | Monthly admin-activity review (CISO + CTO substantive walk) and weekly log review (CISO) with CEO independent attestation co-signature on each note. | CISO + CTO + CEO | Log Review procedure | /registers/log-reviews/<YYYY>/admin/<YYYY-MM>.mdx; /registers/log-reviews/<YYYY>/<isoweek>.mdx | Weekly + monthly | MON-1, MON-2 |
| CC6.7 | Crypto | Customer data is encrypted at rest (AES-256) — AWS KMS-managed for AWS-resident services; Vultr platform-managed encryption for Vultr-resident services — and in transit (TLS 1.2+). For Confidential customer data on either cloud, Neuroscale’s standard architecture additionally applies a Vault Transit application-layer envelope wrap (Neuroscale-managed keys, never leave Vault); a CISO-maintained exception list enumerates workloads (e.g., transactional email, async workflow payloads, third-party-AI request bodies, log payloads) that rely on provider-managed encryption alone where the Vault Transit wrap is incompatible with the workload’s I/O model. The exception list is reviewed at each ISMS Management Review. | CISO | Cryptography Policy | Vanta AWS configuration tests; Vultr platform-encryption attestation; Vault Transit audit-device logs (Better Stack + AWS S3 Object Lock); CISO-maintained Vault Transit Exception List | Continuous | CRY-2, CRY-4, NET-1 |
| CC6.7 | Crypto | Production secrets are stored in HashiCorp Vault (cross-cloud secrets-of-record for both AWS- and Vultr-hosted workloads; workload-bound auth via Vault AWS / Kubernetes / AppRole / OIDC methods — no long-lived static tokens in production workload paths) — no secrets in source. Two documented carve-outs: (a) non-production developer secrets reside in the Dashlane Developer vault; (b) the Vault root token is sealed (break-glass only) in the CISO + CTO Dashlane vaults and is not a workload credential. | CTO | Secrets Management | GitGuardian / GitHub secret-scanning; CI checks; Vault audit-device logs to Better Stack and AWS S3 (Object Lock) | Continuous | CRY-1, CRY-2 |
| CC6.7 | Crypto | Keys are rotated per documented cadence (90-day classes natural; annual classes per the Key Rotation Plan — 2026 with at least one rotation per class inside the initial Type II window). | CISO + CTO | Cryptography Policy → Key rotation cadence, Key Rotation procedure, Key Rotation Plan — 2026 | Vault audit-device log; per-rotation evidence at /registers/key-rotations/<YYYY-MM>-<class>.mdx | Per cadence class | CRY-2 |
| CC6.7 + CC6.4 | Asset | All workforce devices are managed (Rippling MDM) and encrypted (FDE) per the device policy. | CISO | Asset Management Policy, Information Security Policy → Device policy | Rippling MDM compliance reports | Continuous | MDM-1 |
| CC7.1 | Vuln Mgmt | Vulnerability scans run at least quarterly with severity-based remediation SLAs (Critical 7d / High 30d / Medium 60d / Low 90d); risk-acceptance capped at 2× SLA without CEO approval. | CISO + Engineering | Vulnerability Management, Operations Security → Technical vulnerability management | Semgrep / CodeQL / Gitleaks / Snyk / Trivy reports (GitHub Advanced Security); Linear “Vulnerabilities” board; annual Horizon3 pen-test; risk-acceptance log | Continuous + quarterly review | OPS-1, VPM-1, VPM-2 |
| CC4.1 / CC7.1 | Vuln Mgmt | Independent penetration test (vendor: Horizon3) — first engagement scheduled in-window, annual thereafter — with retest of Critical/High findings within 30 days of remediation. | CISO | Vulnerability Management, Operations Security | Pen-test report due from the in-window Horizon3 engagement (fieldwork 2026); retest closure evidence to follow | First engagement in-window per Phase 3.3 / 3.4; annual thereafter | IAO-2 |
| CC7.2 / CC7.3 | Logging | Production systems (AWS and Vultr) emit security events to Better Stack with tiered retention; AWS infra logs flow through CloudWatch + S3 Object Lock; Vultr infra logs forward to Better Stack with audit copies in AWS S3 Object Lock. | CTO | Logging & Monitoring, Operations Security → Log retention tiers | Better Stack ingestion + retention configuration; CloudWatch + S3 Object Lock | Continuous | MON-1, MON-2 |
| CC7.3 | Logging | Cold-log retrieval SLA: 4 hours for P0/P1 incidents (S3 Standard-IA / Glacier Instant Retrieval); 2 business days for standard requests. First annual drill scheduled by 2026-05-31 per Readiness Timeline Phase 1.8; annual cadence thereafter. | CTO | Logging & Monitoring → Cold-log retrieval SLA | Retrieval drill at /registers/log-reviews/<YYYY>/retrieval-drill-<YYYY-MM>.mdx (first: 2026-05); per-incident retrieval logs | Per incident + annual drill | MON-2 |
| CC7.4 / CC7.5 | IR | An Incident Response Plan exists and assigns roles; severity-based escalation, RCA on every verified P0, breach-determination by CEO + GC, customer notice per contracts/law. | CISO + GC + CEO | Incident Response Policy | Linear “Security Incidents” project; RCA documents; breach-notice records | Per incident; annual tabletop deferred to subsequent window | IRO-1, IRO-2, IRO-3 |
| CC8.1 | Change | Code changes require peer review and a passing CI build; production deployments use change-approval ticketing with separation-of-duties enforced via GitHub prevent-self-review; emergency changes follow the emergency-change procedure with retrospective within 24 hours. | CTO | Code Review, Change Management, Secure Development Policy, Operations Security → Change management | GitHub branch-protection settings; PR history; GitHub Actions deploy logs; Linear ticket trail; emergency-change retrospective tickets | Continuous + per emergency | CHG-1, CHG-2, CHG-3 |
| CC9.1 | BCP | A backup-restore test (per data store) is performed at least quarterly per the DR & Backup-Restore Test procedure. | CTO + CISO | Business Continuity Policy, RTO/RPO Matrix | Per-quarter restore-test ticket in Linear; per-store evidence in SharePoint Evidence Library | Quarterly | BCD-2, GOV-5 |
| CC9.1 | BCP | A full DR exercise (tabletop or live) is performed at least annually, with at least one live failover per two-year period. First cycle deferred to subsequent window per annual-controls first-cycle treatment. | CTO + CISO | Business Continuity Policy, DR & Backup-Restore Test procedure | Annual after-action report; SharePoint Evidence Library | Annual | BCD-1, BCD-2 |
| CC9.2 | Vendor | All third parties with Confidential-data or production access undergo a tiered risk assessment before contract signature; High-tier vendors are re-reviewed annually per the Vendor Annual Review Schedule. | CISO + CFO | Third-Party Management Policy, Vendor Risk Assessment procedure, Vendor Inventory | Vendor Inventory; signed agreements; SOC 2 / DPA on file; Annual Review Notes in SharePoint Evidence Library | Continuous + annual (High tier) / biennial (Medium tier) | TPM-1, TPM-2 |
| A1.1 / A1.2 / A1.3 (deferred to subsequent window) | Availability | Customer-committed SLA, uptime monitoring, capacity planning, and recovery time/point objectives. Out of scope for the initial Type II window per the Compliance Frameworks scope decision; to be stood up before the first subsequent Type II window opens 2026-09-22. | CTO | RTO/RPO Matrix, Business Continuity Policy | Better Stack uptime status; capacity-planning records; DR test results | Deferred | — |
| C1.1 / C1.2 (deferred to subsequent window) | Confidentiality | Customer-data confidentiality protections (classification, handling, retention, deletion-on-termination within 60 days). Out of scope for the initial Type II window per the Compliance Frameworks scope decision; per-workload C1.x evidence to be stood up before the first subsequent Type II window. | CISO + GC | Data Management Policy, Cryptography Policy, Records Retention Schedule | Data Retention Matrix; deletion-job logs; encryption evidence | Deferred | — |
| P1 – P9 (deferred to subsequent window) | Privacy | Privacy notice (P1), choice/consent (P2), collection (P3), use/retention/disposal (P4), access (P5), disclosure (P6), quality (P7), monitoring/enforcement (P8), management commitment (P9). Out of scope for the initial Type II window per the Compliance Frameworks scope decision; existing privacy procedures (Data Subject Rights, DPIA, Cross-Border Transfers, Records Disposal, Customer Data Export, Re-identification Audit) operate but are not mapped to P-criteria in this report. To be mapped before the first subsequent Type II window. | GC (Privacy Officer + DPO) | Data Management Policy, Employee Privacy Policy, procedures above | DSR Tracker (Linear); DPIA Register; RoPA; Disposal Log | Deferred | — |
Out-of-scope today
- FedRAMP / DoD IL5 — near-term roadmap; not a current commitment. Federal customers (across civilian, defense, and law-enforcement missions) do not currently require FedRAMP for the services Neuroscale provides; DoD IL5 is anticipated as scope expands. See Compliance Frameworks → FedRAMP & DoD IL5 (near-term roadmap).
- PCI DSS — no cardholder data; not in scope.
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
| 1.1 | June 3, 2026 | Refinements to the CC5, CC6.7, and CC7.3 rows. | Cameron Wolfe | Ishan Jadhwani, CEO |
| 1.2 | June 14, 2026 | Populated Vanta control-ID references for in-scope rows; clarified the termination-access SLA (CC6.2). | Cameron Wolfe | Pending |