Register Owner: General Counsel
Effective Date: May 10, 2026
Reviewed: At least annually and on each material change to a processing activity, sub-processor list, or applicable law
Next Review: May 10, 2027

Controller identity and contact (Art. 30(1)(a))

  • Controller: NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165, USA.
  • Privacy contact / Art. 30(1)(a) point of contact: General Counsel, privacy@neuroscale.ai. Neuroscale has not made a mandatory Art. 37 DPO designation (the threshold is not triggered); the General Counsel performs DPO-equivalent duties voluntarily and is the standing contact for supervisory authorities and data subjects. See Roles & Responsibilities → Regulatory aliases.
  • EU / UK Art. 27 representative: not appointed (no EU/UK establishment and no Art. 3(2) trigger met as of the effective date); the General Counsel re-confirms this on each material change to EU/UK-facing processing.
  • General description of technical and organizational measures (Art. 30(1)(g)): the baseline TOMs applicable across all controller activities are described in the Information Security Policy, the Cryptography Policy (encryption in transit and at rest), the Access Control Policy (least privilege, MFA, SoD), and the Trust Center. Per-activity deviations or additions are noted in the TOMs column of each table below.
Document status — v1.0. This register is the canonical source for Article 30 GDPR (and UK GDPR Art. 30) Records of Processing Activities. It is maintained as a living register; entries are added as new processing activities go live and amended on material change. Each entry is reviewed by the General Counsel at least annually. Where any entry conflicts with an executed customer DPA, the customer DPA controls for that customer’s data; the entry is still maintained here for completeness.

Purpose

Maintain the records required by GDPR Art. 30(1) (controller) and GDPR Art. 30(2) (processor), plus analogous obligations under UK GDPR Art. 30 and applicable state-law disclosure provisions. This register supports DPIA work, DSR routing, supervisory-authority cooperation, and incident-response scoping.

How to read

Each row in the controller / processor tables below corresponds to a single processing activity. Activities are scoped narrowly — a single “purpose family” plus the data flowing through it. Where one technical system supports multiple purposes, multiple rows exist. Column glossary:
  • Purpose — the operational outcome the activity is designed to produce.
  • Legal basis (EU/UK) — GDPR Art. 6 basis; Art. 9 derogation where special-category data is in scope.
  • Categories of Data Subjects.
  • Categories of Personal Data.
  • Recipients — internal teams; sub-processors; legal/regulatory recipients.
  • Cross-border transfers — destinations and transfer mechanisms.
  • Retention — pointer to the Records Retention Schedule row.
  • TOMs reference — pointer to the Information Security Policy, Cryptography Policy, or Trust Center.
  • Source of data — direct collection; indirect collection; both.

1. Controller activities (Art. 30(1))

Activities where Neuroscale determines the means and purposes.
IDPurposeLegal basis (EU/UK)Categories of Data SubjectsCategories of Personal DataRecipientsCross-border transfersRetentionTOMs (Art. 30(1)(g))Source
C-01Operate Neuroscale’s workforce — recruit, hire, employ, manage, pay, offboardPerformance of contract; legal obligation; legitimate interestsApplicants; employees; contractors; their emergency contacts and dependents (limited)Identifiers; contact data; employment history; education; compensation; tax identifiers; background-check results; benefits data; performance dataHRBP; Rippling (HRIS / IdP / MDM / EDR; Rippling Global EOR for non-US workers); Checkr (background checks); payroll provider; insurance broker; Microsoft 365; legal recipients (e.g., DOL)US — primarily domestic. Workforce-data inbound flows from Brazilian-resident workers (LGPD, Lei 13.709/2018) and Indian-resident workers (DPDP Act, 2023 once notified) into US-resident processors (Rippling US, Checkr US, M365 US, Vanta US, GitHub US, AWS US, Vultr US) are governed by the Cross-Border Transfers procedure; per-country lawful-basis and transfer-mechanism analysis is in the Non-US Workforce SOC 2 Brief. Where Rippling acts as employer-of-record, Rippling executes its own LGPD / DPDP compliance as employer; Neuroscale retains controller obligations for Neuroscale-side processing.RRS — Personnel recordsBaseline + Rippling MDM/EDR endpoint controls; role-restricted HRIS accessDirect + indirect (background check)
C-02Operate Neuroscale’s customer-relationship and sales pipelineLegitimate interests; consent for marketing where requiredProspective customer contacts; existing-customer business contactsBusiness contact data; engagement metadata; communicationsSales; Marketing; HubSpot (or equivalent CRM); Microsoft 365USRRS — Corporate; RRS — Marketing, consent, and cookiesBaseline; CRM access role-restrictedDirect (form submission, sales engagement); limited indirect (B2B contact-data vendors)
C-03Marketing communications and event marketingLegitimate interests; consent where required (EU/UK/PECR)Marketing-list subscribers; event attendees; content downloadersIdentifiers; preferences; engagement metadataMarketing; Resend (transactional email); HubSpot (marketing automation); Cookiebot (consent); Mixpanel (analytics)USRRS — Marketing, consent, and cookiesBaseline; consent records via CookiebotDirect
C-04Public website analytics and CMP-driven cookiesConsent (EU/UK ePrivacy); legitimate interests (US, where permissible)Visitors to neuroscale.ai, arbi.ai, and related propertiesDevice and log information; cookies; pixel identifiersMarketing; Mixpanel; LinkedIn Insight Tag; Meta Pixel; Google Ads; CookiebotUS (with vendor-side transfers)RRS — Marketing, consent, and cookiesBaseline; Cookiebot CMP consent-gating before non-essential tags fireDirect
C-05Sourcing Database — Neuroscale’s aggregated candidate-profile graphLegitimate interests (GDPR Art. 6(1)(f)); LIA on fileCandidates (currently US / North America residents only — confirmed 2026-06-14; EU/UK/Swiss intake is a planned near-future expansion — see Sourcing Data Acquisition Policy for source vetting)Identifiers; business contact data; employment and education history; skills and certifications; public-profile attributes; inferences derived therefromCustomer-employers; sub-processors per Subprocessor List; legal / regulatory recipients on lawful requestUS (Neuroscale operations) and US-resident sub-processors. The Sourcing DB currently holds NA-resident candidates only, so SCC / UK Addendum / DPF reliance is not yet operative for this activity. EU/UK/Swiss candidate intake is a planned near-future expansion; on go-live the transfer mechanisms in the Cross-Border Transfers procedure and the Art. 14 Notice — already prepared and retained for this purpose — become operative, and the Art. 27 / Art. 3(2) trigger is re-assessed per the controller-side note (RoPA Art. 30(1)(a))RRS — Sourcing DatabaseBaseline + application-layer encryption (Vault Transit); strict least-privilege on the sourcing graph; access loggedIndirect (public-web, licensed vendors, Customer-authorized integrations)
C-06Customer billing and paymentsPerformance of contract; legal obligation (tax, accounting)Billing contacts; authorized signatoriesIdentifiers; billing contact data; payment metadata (no card data stored)Finance; payment processor; tax authoritiesUSRRS — Financial recordsBaseline; no cardholder data stored (processor-hosted)Direct
C-07Security operations, fraud / abuse prevention, audit loggingLegitimate interests; legal obligationAll users of Neuroscale services (workforce and customer-side); visitorsIdentifiers; IP address; device identifiers; authentication metadata; activity logsCISO; Better Stack (logs / monitoring); CloudWatch; AWS / Vultr; legal / regulatory recipients on lawful requestUSRRS — Security and operationsBaseline; tamper-evident logging; access restricted to CISO/securityDirect (collected by the platform during operation)
C-08Sanctions screening and trade-complianceLegal obligation (OFAC, EAR, ITAR scope-out)Customers; partners; counterparties; workforceIdentifiers; nationality / employer where in scopeGC; CFO; sanctions-screening providerUSRRS — Privacy program records; Trade Compliance evidenceBaseline; access restricted to GC/CFODirect + indirect (third-party sanctions data)
C-09Privacy program operations (DSRs, DPIAs, breach response, training)Legal obligation; legitimate interestsData subjects asserting rights; workforceIdentifiers; identity-verification evidence; request content; outcomesGC; Privacy team; relevant subject-matter teamsUSRRS — Privacy program recordsBaseline; identity-verification evidence minimized and access-restrictedDirect (request received)

2. Processor activities (Art. 30(2))

Activities where Neuroscale processes Personal Data on behalf of Customers under the DPA Template.
IDProcessing on behalf ofCategories of Data SubjectsCategories of Personal DataSub-processorsTransfersRetentionTOMs
P-01All Arbi CustomersCandidates (active applicants, prospective candidates, talent-pool entries) submitted by Customer to Customer’s workspaceResumes/CVs; identifiers; employment and education history; skills; correspondence; assessment results; recruiting workflow notesPer Subprocessor List — AWS, Vultr, Microsoft 365, Rippling, Better Stack, Anthropic, OpenAI, xAI, Cerebras, Portkey, WorkOS, Resend, Temporal Cloud, Vercel, PDL, RocketReach, Kickbox, NumVerify, Vanta, Linear, GitHub, Cloudflare, Tailscale, Nylas, Unipile, OVH US, CheckrUS; vendor-side transfers governed by each vendor’s executed DPA + SCCs / DPFRRS — Customer dataTrust Center; Information Security Policy; Cryptography Policy
P-02All Arbi CustomersCustomer’s User accounts (recruiters, hiring managers, admins)Account identifiers; SSO identifiers; authentication metadata; in-product activityPer Subprocessor List; primarily AWS, WorkOS, Better StackUSRRS — Customer dataSame as P-01
P-03Arbi Customers using outbound-communications featuresCandidates contacted via Customer outreach (email, SMS, voice, AI-agent in-app)Identifiers; contact channel identifiers; message content; engagement metadata; consent recordsResend (email); 10DLC / short-code SMS provider per Customer; voice provider per CustomerUSRRS — Customer data; consent records 7 years per Outbound Communications PolicySame as P-01
P-04Arbi Customers using AI-assisted featuresCandidates and Customer Users whose inputs / prompts pass through model inferenceModel inputs and outputs for the relevant featureAnthropic; OpenAI; xAI; Cerebras; Portkey AIUSPer executed sub-processor DPA; no third-party trainingSame as P-01
P-05Arbi Customers using AI bias-audit and reidentification-audit featuresSample subsets of Candidate data and Deidentified DataIdentifiers; demographic proxies (for disparate-impact testing); model outputsIndependent Auditor (when engaged — tracked in the internal review-actions log)US (Auditor location TBD)RRS — Privacy program records; Bias-audit reports 7 yearsSame as P-01

3. Joint controllership

No joint-controllership arrangements within the meaning of GDPR Art. 26 are currently in place. The Sourcing Database (controller activity C-05) and Customer-workspace processing (processor activities P-01–P-05) are kept structurally separate. Should a joint-controllership relationship arise (e.g., a Customer requests joint participation in source vetting for a Customer-specific source), an Art. 26 arrangement is executed before any joint processing begins.

4. International transfers — summary

For controller-side activities, transfers are predominantly US-domestic with vendor-side transfers governed by each vendor’s executed DPA and applicable transfer mechanism. For processor-side activities, transfers operate under the DPA Template §13 (EU SCCs Modules Two and Three; UK Addendum; Swiss FDPIC modifications). See the Cross-Border Transfers Procedure for the operational TIA workflow.

5. Special-category and criminal-conviction data

No controller activity ingests special-category data within the meaning of GDPR Art. 9 by default. Where Customers upload content that contains special-category data through processor activities (P-01–P-05), the DPA Template Schedule 1 governs and the Customer bears the lawful-basis responsibility. Criminal-conviction data (Art. 10) is not knowingly processed; background-check results obtained for workforce activity C-01 are processed under Checkr’s DPA and US fair-credit-reporting rules.

6. Review cadence

  • Annual review of each row by the General Counsel.
  • Material-change review on (a) any new processing activity going live; (b) any sub-processor addition / replacement / removal; (c) any change in applicable law that affects a legal basis or transfer mechanism; (d) any change in the controller / processor allocation (e.g., a joint-controllership arrangement); (e) any incident that materially affected a processing activity.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0May 10, 2026Initial RoPA registerCameron WolfeIshan Jadhwani