Register Owner: General Counsel + CTO
Effective Date: June 13, 2026
Reviewed: On material change to data flows and at least annually
Frameworks: SOC 2 Confidentiality (C1); GDPR Art. 30 (supports the RoPA) / DPIA; ISO 27001 A.5.34.
Lifecycle of customer and candidate personal data through the platform. Complements the infrastructure view in the Network & Architecture Diagram and the activity records in the RoPA.

Personal-data flow

Notes

  • Lawful basis & roles: customer-workspace candidate data is processed as processor on the customer’s instruction; the Sourcing Database is controller processing under legitimate interests. See the RoPA and Privacy Notice.
  • AI boundary: data sent to model providers transits Portkey; providers are contractually barred from training on it. Training of Neuroscale’s own models uses the Deidentification Standard. See the AI Model Data-Flow Diagram.
  • Residency: all storage and sub-processing is US-region (incl. OVH US for avatar images).
  • Retention & deletion: per the Records Retention Schedule, Records Disposal, and Data Subject Rights; deletion propagates to backups within the backup-rotation window.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial personal-data flow diagram.Cameron WolfeIshan Jadhwani