Register Owner: CISO and General Counsel
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027
| System / application | Data description | Retention period |
|---|---|---|
| PostgreSQL — AWS RDS / Aurora (production, primary) | Customer data | Up to 60 days after contract termination (per the Records Retention Schedule → Customer data) |
| PostgreSQL — Vultr-hosted (production, secondary) | Customer data routed to Vultr-hosted services | Up to 60 days after contract termination (per the Records Retention Schedule → Customer data) |
| AWS S3 (object storage, customer data) | Customer-uploaded files; backups | Per the Records Retention Schedule; 60-day rolling for backups |
| Vultr Object Storage (object storage, customer data) | Customer-uploaded files routed to Vultr-hosted services | Same as above; cross-cloud copy maintained in AWS S3 where contractually required |
| Linear (Helpdesk team queue, populated from intake.neuroscale.ai) | Support tickets and cases | Indefinite while the customer is active; 7 years post-termination, then deleted per the Records Retention Schedule. |
| Support call recordings | Not currently in scope — Neuroscale provides support via Slack and email; no support-phone recordings exist. Re-evaluate if a phone channel is added. | N/A |
| Better Stack | Security event and log data, network flow logs | 13 months (covers a full SOC 2 audit period plus grace; supports retrospective determination of breach awareness for GDPR Art. 33 / state-AG breach analysis). |
| CI scanners (Semgrep, Snyk, Trivy, Gitleaks, CodeQL — see Vulnerability Management → Tooling) | Vulnerability scan results | 6 months for findings; asset / inventory data retained until the asset is decommissioned and purged. |
| HubSpot | Opportunity and sales data | Indefinite while the account or active sales pursuit exists; 7 years post-termination of the customer relationship, then deleted per the Records Retention Schedule. |
| Internal QA tooling (test fixtures and synthetic data in CI) | QA / testing scenarios and results | 1 year for results; synthetic data deleted with the test run. Customer data is not used in QA per the Data Management Policy and Operations Security Policy. |
| Security policies | Security policies (policy library) | 1 year after archive |
| Temporary files | /tmp ephemeral storage | Automatically when process finishes |
Internal retention & disposal
Engineering sets and enforces data retention and disposal procedures for Neuroscale-managed accounts and devices.Customer accounts
Customer accounts and data are deleted within 60 days of contract termination via the documented data-deletion process. See Records Retention Schedule → Customer data.Devices
- Employee devices are collected promptly upon termination. Remote employees receive a shipping label; return is monitored.
- Collected devices are securely erased and re-provisioned, or removed from inventory.
- Damaged devices unable to be wiped are processed via an e-waste service with a Certificate of Destruction (COD). COD retained for 1 year.
- Physical destruction may be skipped if the device is verified as encrypted with full-disk encryption.
Legal holds
Records subject to legal holds are exempt from this matrix and are retained per Legal’s instructions. See Data Management Policy → Legal holds.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |