Register Owner: General Counsel
Effective Date: May 10, 2026
Reviewed: At least annually and on each material change to a processing activity, sub-processor list, or applicable law
Next Review: May 10, 2027
Effective Date: May 10, 2026
Reviewed: At least annually and on each material change to a processing activity, sub-processor list, or applicable law
Next Review: May 10, 2027
Controller identity and contact (Art. 30(1)(a))
- Controller: NEUROSCALE LLC, 46175 Westlake Dr Ste 300, Sterling, VA 20165, USA.
- Privacy contact / Art. 30(1)(a) point of contact: General Counsel, privacy@neuroscale.ai. Neuroscale has not made a mandatory Art. 37 DPO designation (the threshold is not triggered); the General Counsel performs DPO-equivalent duties voluntarily and is the standing contact for supervisory authorities and data subjects. See Roles & Responsibilities → Regulatory aliases.
- EU / UK Art. 27 representative: not appointed (no EU/UK establishment and no Art. 3(2) trigger met as of the effective date); the General Counsel re-confirms this on each material change to EU/UK-facing processing.
- General description of technical and organizational measures (Art. 30(1)(g)): the baseline TOMs applicable across all controller activities are described in the Information Security Policy, the Cryptography Policy (encryption in transit and at rest), the Access Control Policy (least privilege, MFA, SoD), and the Trust Center. Per-activity deviations or additions are noted in the TOMs column of each table below.
Purpose
Maintain the records required by GDPR Art. 30(1) (controller) and GDPR Art. 30(2) (processor), plus analogous obligations under UK GDPR Art. 30 and applicable state-law disclosure provisions. This register supports DPIA work, DSR routing, supervisory-authority cooperation, and incident-response scoping.How to read
Each row in the controller / processor tables below corresponds to a single processing activity. Activities are scoped narrowly — a single “purpose family” plus the data flowing through it. Where one technical system supports multiple purposes, multiple rows exist. Column glossary:- Purpose — the operational outcome the activity is designed to produce.
- Legal basis (EU/UK) — GDPR Art. 6 basis; Art. 9 derogation where special-category data is in scope.
- Categories of Data Subjects.
- Categories of Personal Data.
- Recipients — internal teams; sub-processors; legal/regulatory recipients.
- Cross-border transfers — destinations and transfer mechanisms.
- Retention — pointer to the Records Retention Schedule row.
- TOMs reference — pointer to the Information Security Policy, Cryptography Policy, or Trust Center.
- Source of data — direct collection; indirect collection; both.
1. Controller activities (Art. 30(1))
Activities where Neuroscale determines the means and purposes.| ID | Purpose | Legal basis (EU/UK) | Categories of Data Subjects | Categories of Personal Data | Recipients | Cross-border transfers | Retention | TOMs (Art. 30(1)(g)) | Source |
|---|---|---|---|---|---|---|---|---|---|
| C-01 | Operate Neuroscale’s workforce — recruit, hire, employ, manage, pay, offboard | Performance of contract; legal obligation; legitimate interests | Applicants; employees; contractors; their emergency contacts and dependents (limited) | Identifiers; contact data; employment history; education; compensation; tax identifiers; background-check results; benefits data; performance data | HRBP; Rippling (HRIS / IdP / MDM / EDR; Rippling Global EOR for non-US workers); Checkr (background checks); payroll provider; insurance broker; Microsoft 365; legal recipients (e.g., DOL) | US — primarily domestic. Workforce-data inbound flows from Brazilian-resident workers (LGPD, Lei 13.709/2018) and Indian-resident workers (DPDP Act, 2023 once notified) into US-resident processors (Rippling US, Checkr US, M365 US, Vanta US, GitHub US, AWS US, Vultr US) are governed by the Cross-Border Transfers procedure; per-country lawful-basis and transfer-mechanism analysis is in the Non-US Workforce SOC 2 Brief. Where Rippling acts as employer-of-record, Rippling executes its own LGPD / DPDP compliance as employer; Neuroscale retains controller obligations for Neuroscale-side processing. | RRS — Personnel records | Baseline + Rippling MDM/EDR endpoint controls; role-restricted HRIS access | Direct + indirect (background check) |
| C-02 | Operate Neuroscale’s customer-relationship and sales pipeline | Legitimate interests; consent for marketing where required | Prospective customer contacts; existing-customer business contacts | Business contact data; engagement metadata; communications | Sales; Marketing; HubSpot (or equivalent CRM); Microsoft 365 | US | RRS — Corporate; RRS — Marketing, consent, and cookies | Baseline; CRM access role-restricted | Direct (form submission, sales engagement); limited indirect (B2B contact-data vendors) |
| C-03 | Marketing communications and event marketing | Legitimate interests; consent where required (EU/UK/PECR) | Marketing-list subscribers; event attendees; content downloaders | Identifiers; preferences; engagement metadata | Marketing; Resend (transactional email); HubSpot (marketing automation); Cookiebot (consent); Mixpanel (analytics) | US | RRS — Marketing, consent, and cookies | Baseline; consent records via Cookiebot | Direct |
| C-04 | Public website analytics and CMP-driven cookies | Consent (EU/UK ePrivacy); legitimate interests (US, where permissible) | Visitors to neuroscale.ai, arbi.ai, and related properties | Device and log information; cookies; pixel identifiers | Marketing; Mixpanel; LinkedIn Insight Tag; Meta Pixel; Google Ads; Cookiebot | US (with vendor-side transfers) | RRS — Marketing, consent, and cookies | Baseline; Cookiebot CMP consent-gating before non-essential tags fire | Direct |
| C-05 | Sourcing Database — Neuroscale’s aggregated candidate-profile graph | Legitimate interests (GDPR Art. 6(1)(f)); LIA on file | Candidates (currently US / North America residents only — confirmed 2026-06-14; EU/UK/Swiss intake is a planned near-future expansion — see Sourcing Data Acquisition Policy for source vetting) | Identifiers; business contact data; employment and education history; skills and certifications; public-profile attributes; inferences derived therefrom | Customer-employers; sub-processors per Subprocessor List; legal / regulatory recipients on lawful request | US (Neuroscale operations) and US-resident sub-processors. The Sourcing DB currently holds NA-resident candidates only, so SCC / UK Addendum / DPF reliance is not yet operative for this activity. EU/UK/Swiss candidate intake is a planned near-future expansion; on go-live the transfer mechanisms in the Cross-Border Transfers procedure and the Art. 14 Notice — already prepared and retained for this purpose — become operative, and the Art. 27 / Art. 3(2) trigger is re-assessed per the controller-side note (RoPA Art. 30(1)(a)) | RRS — Sourcing Database | Baseline + application-layer encryption (Vault Transit); strict least-privilege on the sourcing graph; access logged | Indirect (public-web, licensed vendors, Customer-authorized integrations) |
| C-06 | Customer billing and payments | Performance of contract; legal obligation (tax, accounting) | Billing contacts; authorized signatories | Identifiers; billing contact data; payment metadata (no card data stored) | Finance; payment processor; tax authorities | US | RRS — Financial records | Baseline; no cardholder data stored (processor-hosted) | Direct |
| C-07 | Security operations, fraud / abuse prevention, audit logging | Legitimate interests; legal obligation | All users of Neuroscale services (workforce and customer-side); visitors | Identifiers; IP address; device identifiers; authentication metadata; activity logs | CISO; Better Stack (logs / monitoring); CloudWatch; AWS / Vultr; legal / regulatory recipients on lawful request | US | RRS — Security and operations | Baseline; tamper-evident logging; access restricted to CISO/security | Direct (collected by the platform during operation) |
| C-08 | Sanctions screening and trade-compliance | Legal obligation (OFAC, EAR, ITAR scope-out) | Customers; partners; counterparties; workforce | Identifiers; nationality / employer where in scope | GC; CFO; sanctions-screening provider | US | RRS — Privacy program records; Trade Compliance evidence | Baseline; access restricted to GC/CFO | Direct + indirect (third-party sanctions data) |
| C-09 | Privacy program operations (DSRs, DPIAs, breach response, training) | Legal obligation; legitimate interests | Data subjects asserting rights; workforce | Identifiers; identity-verification evidence; request content; outcomes | GC; Privacy team; relevant subject-matter teams | US | RRS — Privacy program records | Baseline; identity-verification evidence minimized and access-restricted | Direct (request received) |
2. Processor activities (Art. 30(2))
Activities where Neuroscale processes Personal Data on behalf of Customers under the DPA Template.| ID | Processing on behalf of | Categories of Data Subjects | Categories of Personal Data | Sub-processors | Transfers | Retention | TOMs |
|---|---|---|---|---|---|---|---|
| P-01 | All Arbi Customers | Candidates (active applicants, prospective candidates, talent-pool entries) submitted by Customer to Customer’s workspace | Resumes/CVs; identifiers; employment and education history; skills; correspondence; assessment results; recruiting workflow notes | Per Subprocessor List — AWS, Vultr, Microsoft 365, Rippling, Better Stack, Anthropic, OpenAI, xAI, Cerebras, Portkey, WorkOS, Resend, Temporal Cloud, Vercel, PDL, RocketReach, Kickbox, NumVerify, Vanta, Linear, GitHub, Cloudflare, Tailscale, Nylas, Unipile, OVH US, Checkr | US; vendor-side transfers governed by each vendor’s executed DPA + SCCs / DPF | RRS — Customer data | Trust Center; Information Security Policy; Cryptography Policy |
| P-02 | All Arbi Customers | Customer’s User accounts (recruiters, hiring managers, admins) | Account identifiers; SSO identifiers; authentication metadata; in-product activity | Per Subprocessor List; primarily AWS, WorkOS, Better Stack | US | RRS — Customer data | Same as P-01 |
| P-03 | Arbi Customers using outbound-communications features | Candidates contacted via Customer outreach (email, SMS, voice, AI-agent in-app) | Identifiers; contact channel identifiers; message content; engagement metadata; consent records | Resend (email); 10DLC / short-code SMS provider per Customer; voice provider per Customer | US | RRS — Customer data; consent records 7 years per Outbound Communications Policy | Same as P-01 |
| P-04 | Arbi Customers using AI-assisted features | Candidates and Customer Users whose inputs / prompts pass through model inference | Model inputs and outputs for the relevant feature | Anthropic; OpenAI; xAI; Cerebras; Portkey AI | US | Per executed sub-processor DPA; no third-party training | Same as P-01 |
| P-05 | Arbi Customers using AI bias-audit and reidentification-audit features | Sample subsets of Candidate data and Deidentified Data | Identifiers; demographic proxies (for disparate-impact testing); model outputs | Independent Auditor (when engaged — tracked in the internal review-actions log) | US (Auditor location TBD) | RRS — Privacy program records; Bias-audit reports 7 years | Same as P-01 |
3. Joint controllership
No joint-controllership arrangements within the meaning of GDPR Art. 26 are currently in place. The Sourcing Database (controller activity C-05) and Customer-workspace processing (processor activities P-01–P-05) are kept structurally separate. Should a joint-controllership relationship arise (e.g., a Customer requests joint participation in source vetting for a Customer-specific source), an Art. 26 arrangement is executed before any joint processing begins.4. International transfers — summary
For controller-side activities, transfers are predominantly US-domestic with vendor-side transfers governed by each vendor’s executed DPA and applicable transfer mechanism. For processor-side activities, transfers operate under the DPA Template §13 (EU SCCs Modules Two and Three; UK Addendum; Swiss FDPIC modifications). See the Cross-Border Transfers Procedure for the operational TIA workflow.5. Special-category and criminal-conviction data
No controller activity ingests special-category data within the meaning of GDPR Art. 9 by default. Where Customers upload content that contains special-category data through processor activities (P-01–P-05), the DPA Template Schedule 1 governs and the Customer bears the lawful-basis responsibility. Criminal-conviction data (Art. 10) is not knowingly processed; background-check results obtained for workforce activity C-01 are processed under Checkr’s DPA and US fair-credit-reporting rules.6. Review cadence
- Annual review of each row by the General Counsel.
- Material-change review on (a) any new processing activity going live; (b) any sub-processor addition / replacement / removal; (c) any change in applicable law that affects a legal basis or transfer mechanism; (d) any change in the controller / processor allocation (e.g., a joint-controllership arrangement); (e) any incident that materially affected a processing activity.
Cross-references
- Privacy Notice — public-facing companion.
- Art. 14 Indirect Collection Notice — Sourcing Database (C-05) candidate-facing notice.
- DPA Template — processor activities baseline.
- Subprocessor List — current sub-processor roster.
- Records Retention Schedule — retention pointers.
- Cross-Border Transfers Procedure — TIA workflow.
- Sourcing Data Acquisition Policy — C-05 source vetting and LIA.
- Trust Center — TOMs companion.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 10, 2026 | Initial RoPA register | Cameron Wolfe | Ishan Jadhwani |