Register Owner: General Counsel (with CISO for technical obligations)
Effective Date: June 13, 2026
Reviewed: At least annually and on any new or amended applicable law/contract
Frameworks: ISO/IEC 27001:2022 A.5.31 / A.5.34; ISO/IEC 42001; SOC 2; GDPR; US state privacy; EU AI Act
The register required by ISO/IEC 27001:2022 A.5.31 (identification of legal, statutory, regulatory, and contractual requirements) and supporting A.5.34 (privacy and PII). It is the single index of Neuroscale’s external compliance obligations and where each is implemented. It is maintained by the General Counsel and reviewed at each ISMS Management Review.
How to read
- Requirement — the law, regulation, standard, or contractual commitment.
- Applies because — the trigger that brings Neuroscale into scope.
- Status — In effect / Roadmap / Monitoring (enacted, not yet effective).
- Where addressed — the policy/procedure/notice that implements it.
1. Privacy & data protection
| Requirement | Applies because | Status | Where addressed |
|---|
| GDPR / UK GDPR | Processing of EU/UK personal data (Sourcing DB; customer candidates) | In effect | Privacy Notice, RoPA, DPA Template, DSR, DPIA, Cross-Border Transfers |
| CCPA / CPRA | California residents | In effect | Privacy Notice §16, CA Applicant/Personnel Notice, DSR |
| US state privacy laws (VCDPA, CPA, CTDPA, TDPSA, OCPA, MCDPA, ICDPA, and analogous) | Residents of enacting states | In effect (phased) | Privacy Notice, DSR per-state matrix |
| EU–US Data Privacy Framework | Transfer mechanism option | Monitoring (certification in progress; SCCs operative) | Cross-Border Transfers, Subprocessor List |
| Illinois BIPA (740 ILCS 14) | Aurora biometric capture | In effect | Aurora Capture Consent |
| FCRA (15 U.S.C. §1681) | Background checks (Checkr) | In effect | Background Checks, Background-Check Consent, Adverse Action Letter |
2. AI-specific
| Requirement | Applies because | Status | Where addressed |
|---|
| EU AI Act (Reg. (EU) 2024/1689) — Art. 50 transparency | AI features interacting with persons / synthetic media | Monitoring (applies Aug 2, 2026) | AI Acceptable Use, AI Interaction Disclosure, AI Model Registry |
| EU AI Act — Annex III high-risk (employment) | Recruiting/screening features, before EU placement | Monitoring (phased; ~Dec 2027) | AI Acceptable Use, DPIA/FRIA, AI Model Registry |
| NYC Local Law 144 (AEDT) | AEDT use in NYC by customers (deployer); Neuroscale as developer | In effect | Employment-AI Bias-Audit, AEDT Candidate Notice |
| Colorado AI Act (SB 24-205, as amended by SB 25-189) | High-risk AI in employment | Monitoring (effective Jan 1, 2027) | AI Acceptable Use, AI Training-Data Transparency |
| Illinois HB 3773 | AI in employment decisions | In effect (Jan 1, 2026) | Employment-AI Bias-Audit |
| California AB 2013 (training-data transparency) | Generative AI made available to Californians | In effect (Jan 1, 2026) | AI Training-Data Transparency Notice |
| California SB 942 (AI Transparency Act) | AI-generated content labeling | Monitoring (verify effective date / covered-provider threshold) | Terms of Service §8 |
| California SB 1001 (bot disclosure, §17941) | Automated outreach to Californians | In effect | AI Interaction Disclosure, Terms of Service |
| Utah AI Policy Act | Generative-AI disclosure | In effect (verify §/scope) | AI Interaction Disclosure |
| Texas Responsible AI Governance Act (TRAIGA) | Limited applicability (gov use / prohibited practices) | Monitoring | AI Acceptable Use |
3. Security frameworks & standards
| Requirement | Applies because | Status | Where addressed |
|---|
| SOC 2 (AICPA TSC) | Customer assurance commitment | In effect (window opens 2026-06-22) | Controls Inventory, System Description |
| ISO/IEC 27001:2022 | Certification target | Roadmap | SoA, ISMS Register |
| ISO/IEC 42001:2023 | AI-governance certification target | Roadmap | AIMS SoA, AI Acceptable Use → AIMS |
| FedRAMP High / DoD IL5 | Potential federal/defense customers | Roadmap (not a current commitment) | Compliance Frameworks |
4. Marketing, communications & trade
| Requirement | Applies because | Status | Where addressed |
|---|
| TCPA + state mini-TCPA (FL FTSA, WA CEMA, OK, MD) | Outbound SMS/voice to candidates | In effect | Outbound Communications, Terms of Service §8.8 |
| CAN-SPAM | Marketing email | In effect | Outbound Communications |
| EU ePrivacy / UK PECR | Cookies/tracking on EU/UK visitors | In effect | Cookie Notice |
| OFAC sanctions / EAR / ITAR scope-out | Federal/defense customers; export controls | In effect | Trade Compliance Policy, Export Classification Matrix |
| SOX §806 (voluntary adoption) | Whistleblower protection commitment | In effect (voluntary) | Whistleblower Policy |
5. Contractual commitments
| Requirement | Source | Where addressed |
|---|
| Customer security commitments | MSA / Terms of Service | Terms of Service, Trust Center |
| Data processing obligations (Art. 28) | Customer DPAs | DPA Template, RoPA processor activities |
| Availability / uptime (when effective) | SLA | SLA |
| Sub-processor flow-down | Vendor DPAs | Third-Party Management, Subprocessor List |
Maintenance
- Owner: General Counsel, with the CISO for security/technical obligations.
- Trigger review on: a new or amended applicable law; entry into a new jurisdiction or market (e.g., EU establishment); a new product/data category; a new material customer commitment.
- Changes that add or retire an obligation are reflected in the affected policy/notice in the same change set, and noted at the next ISMS Management Review.
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | June 13, 2026 | Initial legal, regulatory & contractual requirements register. | Cameron Wolfe | Ishan Jadhwani |