Register Owner: General Counsel + CTO
Effective Date: June 13, 2026
Reviewed: On material change to data flows and at least annually
Frameworks: SOC 2 Confidentiality (C1); GDPR Art. 30 (supports the RoPA) / DPIA; ISO 27001 A.5.34.
Effective Date: June 13, 2026
Reviewed: On material change to data flows and at least annually
Frameworks: SOC 2 Confidentiality (C1); GDPR Art. 30 (supports the RoPA) / DPIA; ISO 27001 A.5.34.
Personal-data flow
Notes
- Lawful basis & roles: customer-workspace candidate data is processed as processor on the customer’s instruction; the Sourcing Database is controller processing under legitimate interests. See the RoPA and Privacy Notice.
- AI boundary: data sent to model providers transits Portkey; providers are contractually barred from training on it. Training of Neuroscale’s own models uses the Deidentification Standard. See the AI Model Data-Flow Diagram.
- Residency: all storage and sub-processing is US-region (incl. OVH US for avatar images).
- Retention & deletion: per the Records Retention Schedule, Records Disposal, and Data Subject Rights; deletion propagates to backups within the backup-rotation window.
Cross-references
- RoPA · Network & Architecture Diagram · AI Model Data-Flow Diagram
- Privacy Notice · Subprocessor List · Records Retention Schedule
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial personal-data flow diagram. | Cameron Wolfe | Ishan Jadhwani |