Register Owner: General Counsel (with CISO for technical obligations)
Effective Date: June 13, 2026
Reviewed: At least annually and on any new or amended applicable law/contract
Frameworks: ISO/IEC 27001:2022 A.5.31 / A.5.34; ISO/IEC 42001; SOC 2; GDPR; US state privacy; EU AI Act
The register required by ISO/IEC 27001:2022 A.5.31 (identification of legal, statutory, regulatory, and contractual requirements) and supporting A.5.34 (privacy and PII). It is the single index of Neuroscale’s external compliance obligations and where each is implemented. It is maintained by the General Counsel and reviewed at each ISMS Management Review.

How to read

  • Requirement — the law, regulation, standard, or contractual commitment.
  • Applies because — the trigger that brings Neuroscale into scope.
  • Status — In effect / Roadmap / Monitoring (enacted, not yet effective).
  • Where addressed — the policy/procedure/notice that implements it.

1. Privacy & data protection

RequirementApplies becauseStatusWhere addressed
GDPR / UK GDPRProcessing of EU/UK personal data (Sourcing DB; customer candidates)In effectPrivacy Notice, RoPA, DPA Template, DSR, DPIA, Cross-Border Transfers
CCPA / CPRACalifornia residentsIn effectPrivacy Notice §16, CA Applicant/Personnel Notice, DSR
US state privacy laws (VCDPA, CPA, CTDPA, TDPSA, OCPA, MCDPA, ICDPA, and analogous)Residents of enacting statesIn effect (phased)Privacy Notice, DSR per-state matrix
EU–US Data Privacy FrameworkTransfer mechanism optionMonitoring (certification in progress; SCCs operative)Cross-Border Transfers, Subprocessor List
Illinois BIPA (740 ILCS 14)Aurora biometric captureIn effectAurora Capture Consent
FCRA (15 U.S.C. §1681)Background checks (Checkr)In effectBackground Checks, Background-Check Consent, Adverse Action Letter

2. AI-specific

RequirementApplies becauseStatusWhere addressed
EU AI Act (Reg. (EU) 2024/1689) — Art. 50 transparencyAI features interacting with persons / synthetic mediaMonitoring (applies Aug 2, 2026)AI Acceptable Use, AI Interaction Disclosure, AI Model Registry
EU AI Act — Annex III high-risk (employment)Recruiting/screening features, before EU placementMonitoring (phased; ~Dec 2027)AI Acceptable Use, DPIA/FRIA, AI Model Registry
NYC Local Law 144 (AEDT)AEDT use in NYC by customers (deployer); Neuroscale as developerIn effectEmployment-AI Bias-Audit, AEDT Candidate Notice
Colorado AI Act (SB 24-205, as amended by SB 25-189)High-risk AI in employmentMonitoring (effective Jan 1, 2027)AI Acceptable Use, AI Training-Data Transparency
Illinois HB 3773AI in employment decisionsIn effect (Jan 1, 2026)Employment-AI Bias-Audit
California AB 2013 (training-data transparency)Generative AI made available to CaliforniansIn effect (Jan 1, 2026)AI Training-Data Transparency Notice
California SB 942 (AI Transparency Act)AI-generated content labelingMonitoring (verify effective date / covered-provider threshold)Terms of Service §8
California SB 1001 (bot disclosure, §17941)Automated outreach to CaliforniansIn effectAI Interaction Disclosure, Terms of Service
Utah AI Policy ActGenerative-AI disclosureIn effect (verify §/scope)AI Interaction Disclosure
Texas Responsible AI Governance Act (TRAIGA)Limited applicability (gov use / prohibited practices)MonitoringAI Acceptable Use

3. Security frameworks & standards

RequirementApplies becauseStatusWhere addressed
SOC 2 (AICPA TSC)Customer assurance commitmentIn effect (window opens 2026-06-22)Controls Inventory, System Description
ISO/IEC 27001:2022Certification targetRoadmapSoA, ISMS Register
ISO/IEC 42001:2023AI-governance certification targetRoadmapAIMS SoA, AI Acceptable Use → AIMS
FedRAMP High / DoD IL5Potential federal/defense customersRoadmap (not a current commitment)Compliance Frameworks

4. Marketing, communications & trade

RequirementApplies becauseStatusWhere addressed
TCPA + state mini-TCPA (FL FTSA, WA CEMA, OK, MD)Outbound SMS/voice to candidatesIn effectOutbound Communications, Terms of Service §8.8
CAN-SPAMMarketing emailIn effectOutbound Communications
EU ePrivacy / UK PECRCookies/tracking on EU/UK visitorsIn effectCookie Notice
OFAC sanctions / EAR / ITAR scope-outFederal/defense customers; export controlsIn effectTrade Compliance Policy, Export Classification Matrix
SOX §806 (voluntary adoption)Whistleblower protection commitmentIn effect (voluntary)Whistleblower Policy

5. Contractual commitments

RequirementSourceWhere addressed
Customer security commitmentsMSA / Terms of ServiceTerms of Service, Trust Center
Data processing obligations (Art. 28)Customer DPAsDPA Template, RoPA processor activities
Availability / uptime (when effective)SLASLA
Sub-processor flow-downVendor DPAsThird-Party Management, Subprocessor List

Maintenance

  • Owner: General Counsel, with the CISO for security/technical obligations.
  • Trigger review on: a new or amended applicable law; entry into a new jurisdiction or market (e.g., EU establishment); a new product/data category; a new material customer commitment.
  • Changes that add or retire an obligation are reflected in the affected policy/notice in the same change set, and noted at the next ISMS Management Review.

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial legal, regulatory & contractual requirements register.Cameron WolfeIshan Jadhwani