How to read this schedule
Each row identifies a record type, the retention period (and where the period starts running), the source / authority for the period, the owner (who is accountable that disposal happens or that the record is kept long enough), and the storage location for the canonical copy. Where multiple sources apply, Neuroscale follows the longest required period.Schedule
Corporate
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Articles / Certificate of Organization, operating agreement | Permanent | Virginia Limited Liability Company Act (Va. Code §§ 13.1-1000 et seq.); corporate hygiene | CFO | Microsoft SharePoint — Corporate folder; counsel’s office |
| Board / member resolutions and minutes | Permanent | Best practice; potential audit and litigation evidence | CFO | SharePoint — Corporate |
| Stock / unit ledger and cap-table records | Permanent | Va. Code § 13.1-1028 (member inspection rights); tax basis | CFO | Cap-table tool of record + SharePoint |
| Equity grant agreements (option / RSU / profits-interest) | Life of grant + 7 years post-exercise/cancellation | Tax basis (IRC §6501); IRS look-back | CFO | Cap-table tool + SharePoint |
| Commercial contracts (customer, vendor, partner) — executed | 7 years from expiration or termination | Statute of limitations on contracts (UCC §2-725 / state long-arm 4-6 yrs + buffer) | General Counsel | SharePoint — Contracts |
| NDAs | 7 years from expiration | Same as above | General Counsel | SharePoint — Contracts |
| Tax returns and supporting workpapers | 7 years from filing | IRC §6501(a) (3 yrs default), §6501(c)(1), §6501(e) (6 yrs for substantial omission); +1 buffer | CFO | Accounting system + SharePoint |
| Audit reports (financial) and audit workpapers | 7 years | SOX §802 / 18 U.S.C. §1520 (applies to public companies and audit firms; followed as best practice) | CFO | SharePoint — Finance |
| Insurance policies | Until expiration + 7 years | Long-tail claims; limitations periods | CFO | SharePoint — Insurance |
| Filed regulatory submissions (state, federal) | Permanent | Audit / regulatory inquiry | General Counsel | SharePoint — Compliance |
Customer data (Neuroscale as processor)
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Customer-account configuration and metadata | Life of contract + 60 days post-termination | Customer DPA template; customer-controlled deletion | Engineering Lead | AWS (production DB — RDS / Aurora) and Vultr (Postgres) — per workload routing |
| Personal data of customer end users | Per Customer DPA template; default = match the customer’s documented instruction; default deletion 60 days post-termination | Customer is controller; Neuroscale is processor (GDPR Art. 28; CCPA service-provider terms) | Engineering Lead | AWS (production DB — RDS / Aurora) and Vultr (Postgres) — per workload routing |
| Customer support tickets, recordings, and transcripts | 3 years from ticket close (default) | Reasonable business need; matches contract limitations period | CTO | Support tool of record |
| Customer account-deletion confirmations | 7 years | Audit evidence of fulfilled deletion obligations | Engineering Lead | SharePoint — Compliance |
Personnel records (Neuroscale employees, contractors, applicants)
Neuroscale follows the longest of the federal floor, state floor (e.g., California adds 4 years on top of FLSA for some categories), and contract.| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Job applications, resumes, interview notes (for unhired applicants) | 1 year from application or last action | EEOC regs 29 C.F.R. §1602.14; Title VII | CHRO | HRIS / ATS |
| Hiring records for executives and roles ≥ 100 employees subject to OFCCP | 2 years | OFCCP / 41 C.F.R. §60-1.12 | CHRO | HRIS / ATS |
| I-9 employment-eligibility forms | 3 years from hire date OR 1 year after termination, whichever is later | INA §274A; 8 C.F.R. §274a.2(b)(2) | CHRO | HRIS (separate I-9 vault) |
| Personnel file (offer letter, agreements, performance, training, discipline) | Term of employment + 7 years | EEOC, Title VII, ADEA (3 yrs); IRS (4 yrs); NLRA; CA Labor Code §1198.5 (3 yrs post-termination — federal floor extended for risk) | CHRO | HRIS |
| Payroll records (FLSA-covered) | 3 years | FLSA 29 C.F.R. §516.5 | CFO | Payroll system |
| Time cards, wage-rate schedules, work schedules (FLSA supplementary) | 2 years | FLSA 29 C.F.R. §516.6 | CFO | Payroll system |
| FMLA records | 3 years | FMLA 29 C.F.R. §825.500 | CHRO | HRIS (separate FMLA file) |
| ADA reasonable-accommodation records | Life of employee + 7 years | ADA + medical-records best practice; kept separately from personnel file | CHRO | HRIS (confidential medical file, separate) |
| Workplace-injury / OSHA Form 300, 300A, 301 logs | 5 years following the year covered | 29 C.F.R. §1904.33 | CHRO + CISO | HRIS / SharePoint |
| Workers’ compensation claims | Per state — generally life of claim + 5 years (CA), longer in some states | State workers’-comp statutes | CHRO | HRIS / SharePoint |
| Benefits plan documents, summary plan descriptions, Form 5500 | 6 years from filing | ERISA §107 (29 U.S.C. §1027) | CHRO + CFO | SharePoint |
| Participant-level benefits records | Life of participant + 6 years | ERISA §209; ERISA §107 | CHRO | Benefits provider system |
| Payroll-tax records (W-2, W-4, 1099) | 4 years after the tax due / paid date | IRC §6001; 26 C.F.R. §31.6001-1; IRS Pub. 583 | CFO | Payroll / accounting system |
| Equal Pay Act records | 3 years | EPA / 29 C.F.R. §1620.32 | CHRO | HRIS |
| Training records (Vanta LMS) | Term of employment + 7 years | Personnel record best practice | CHRO + CISO | Vanta |
Background checks and consumer reports
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Pre-employment background-check report (Checkr) | 5 years post-hire | FCRA §1681; reasonable retention for the action taken | CHRO | Checkr + HRIS |
| Pre-adverse-action and adverse-action notices and supporting reports | 5 years from notice date | FCRA §1681m; statute of limitations for FCRA private actions (2/5 yr) | CHRO | HRIS — confidential file |
| Applicant disclosure-and-authorization forms | Term of employment + 5 years (or 5 years from decision for unhired applicants) | FCRA §1681b(b)(2) | CHRO | HRIS / ATS |
Financial records
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| General ledger, journals, trial balances | 7 years | IRS / SOX best practice | CFO | Accounting system |
| Accounts payable / receivable records, invoices | 7 years | IRC §6501; UCC §2-725 (4 yrs) + buffer | CFO | Accounting system |
| Bank statements, reconciliations, cancelled checks | 7 years | IRS; banking-secrecy regulations (BSA / 31 C.F.R. §1010.430 — 5 yrs) | CFO | Accounting system + bank portal |
| Audit workpapers (external) | 7 years | SOX §802 best-practice | CFO | Auditor + SharePoint |
| Expense reports and supporting receipts | 7 years | IRC §274; §6001 | CFO | Expense tool + accounting |
| Fixed-asset records | Life of asset + 7 years | IRC depreciation | CFO | Accounting system |
Marketing, consent, and cookies
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Marketing-consent records (opt-in proof) | Until consent is withdrawn + 3 years | GDPR Art. 7(1) — proof obligation; CAN-SPAM enforcement (5-year claims period) | Marketing (Hanna Gillas) | Marketing automation |
| Suppression / unsubscribe lists | Indefinite (must persist to honor opt-outs) | CAN-SPAM 16 C.F.R. §316.5 — must retain to enforce | Marketing (Hanna Gillas) | Marketing automation |
| Cookie / consent-banner choices | Until withdrawn + 3 years | GDPR proof; ePrivacy Directive | Marketing (Hanna Gillas) | Consent-management platform |
| Lead and prospect records | While active + 3 years from last engagement | Reasonable business need | CEO (until a commercial lead is hired) | HubSpot |
Security and operations
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Security event logs (Better Stack + CloudWatch) | Minimum 12 months online; archived per AWS lifecycle thereafter | SOC 2 CC7; ISO 27001 A.8.15 | CISO | Better Stack; CloudWatch |
| Authentication / access logs | 12 months | Same as above; see Operations Security — Logging & Monitoring | CISO | Better Stack / Rippling |
| Vulnerability scan results (Detectify, Dependabot, Snyk, Semgrep) | 1 year for findings; current state indefinite | SOC 2; ISO 27001 A.8.8 | CISO | Tool of record |
| Penetration-test reports | 7 years | Audit evidence; insurance | CISO | SharePoint |
| Incident records and post-mortems | 6 years | SOC 2 evidence; GDPR audit window | CISO | SharePoint — Compliance |
| Material-incident records (regulatory-reportable) | Permanent | Litigation likely; regulatory record | CISO + General Counsel | SharePoint — Compliance |
| Change-management records (GitHub, deploy logs) | 3 years | SOC 2 CC8; audit window | Engineering Lead | GitHub / CI logs |
| Access-review evidence | At least 1 year (see Access Reviews) | SOC 2 CC6 | CISO | SharePoint — SOC 2 evidence |
Privacy program records
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| DSR / DSAR records (request, verification, response, evidence of action) | 6 years from closure | GDPR audit window; state-law audit windows | General Counsel | DSR tracker |
| DPIAs / PIAs | 6 years from end of underlying processing | GDPR Art. 35 audit evidence | General Counsel + CISO | DPIA register |
| Cross-border transfer records — signed SCCs, UK Addenda, IDTAs, DPF self-certifications | Life of agreement + 6 years | GDPR Chapter V; audit | General Counsel | SharePoint — Privacy |
| Transfer Impact Assessments (TIAs) | 6 years | GDPR; Schrems II audit | General Counsel + CISO | SharePoint — Privacy |
| Records of Processing Activities (ROPA) | 6 years from last update | GDPR Art. 30 | General Counsel | SharePoint — Privacy |
| Government / law-enforcement data-access requests received and responses | Permanent | Litigation evidence; transparency obligations | General Counsel | SharePoint — Privacy (restricted) |
Vendor records
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Vendor agreement, DPA, SCCs | Life of agreement + 6 years | SOC 2; contract limitations | General Counsel | SharePoint — Contracts |
| Vendor security questionnaires, SOC 2 / ISO 27001 reports | Term of relationship + 3 years | SOC 2 evidence | CISO | Vanta |
| Vendor risk-assessment records | Term of relationship + 3 years | See Vendor Risk Assessment | CISO | Vanta |
System backups
| Record type | Retention | Source / authority | Owner | Storage location |
|---|---|---|---|---|
| Production database backups | 60 days operational rolling, then aged out per cloud-provider lifecycle policy | Operational recovery; balanced against deletion-on-request obligations | Engineering Lead | AWS Backup / S3 (lifecycle) for AWS-hosted DBs; Postgres WAL archives in Vultr Object Storage for Vultr-hosted DBs (with cross-cloud copy to AWS S3 for Confidential workloads) |
| Object-store snapshots | 60 days operational; lifecycle thereafter | Same | Engineering Lead | AWS S3 (versioning) and Vultr Object Storage (versioning) — per workload routing |
| Backup index / restoration logs | 1 year | SOC 2 CC9 | Engineering Lead | AWS / Better Stack |
Legal holds
A legal hold (also called a litigation hold or preservation notice) overrides every period in this schedule. When the General Counsel issues a hold, custodians must preserve all in-scope records — including emails, Slack messages, documents, source code branches, and ephemeral data — until the hold is released in writing.- The General Counsel issues, scopes, and releases legal holds.
- CHRO applies the hold to departing employees (no purge of mailbox or files until released).
- IT applies retention overrides in Microsoft Purview, SharePoint, Slack, and any other in-scope system.
- The legal-hold register lives in the Legal Holds project in Linear (restricted access) and contains: matter name, custodians, scope, issued date, last-reviewed date, release date.
- Holds are reviewed at least every 6 months for continued necessity.
Disposal
When a record reaches the end of its retention period and is not on hold, it is securely disposed of per the Records Disposal procedure. Disposal evidence (where applicable — e.g., Certificate of Destruction for media) is itself retained per Records Disposal.Review
This schedule is reviewed by the General Counsel + CISO at least annually, and on any material change in law (new state privacy law adopted; GDPR amendment; SEC or sector-specific rule change). Material changes are version-controlled and announced internally.Cross-references
- Data Management Policy
- Data Retention Matrix — system-by-system view
- Records Disposal
- Data Subject Rights Procedure
- DPIA Procedure
- Cross-Border Transfers
- Vendor Risk Assessment
- Operations Security — Logging & Monitoring
- Employee Privacy Policy
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |