Register Owner: CISO and CFO
Effective Date: May 8, 2026
Reviewed: Quarterly, reconciled against Vanta and the Subprocessor List
Next Review: June 30, 2026 (Q2 2026 cycle — lands inside the initial Type II window)
Effective Date: May 8, 2026
Reviewed: Quarterly, reconciled against Vanta and the Subprocessor List
Next Review: June 30, 2026 (Q2 2026 cycle — lands inside the initial Type II window)
Operational mirror: the live, integration-driven inventory is in Vanta (with continuous monitoring and SOC 2 evidence). This inventory is the human-readable, authoritative listing referenced from policies — it is updated each time a vendor is onboarded, retiered, or offboarded, and reconciled against Vanta during the quarterly vendor review.
Tiering
Tiers are assigned by Security at intake (see Vendor Risk Assessment).| Tier | Definition | Re-review |
|---|---|---|
| High | Processes Confidential or customer data; integrates with production; or has access to production credentials. | Annually |
| Medium | Processes some personal data or provides material business-critical service without direct production access. | Every 2 years |
| Low | Public information only; no production access; no Confidential or personal data. | At contract renewal |
Current inventory
| Vendor | Tier | Scope / data | Owner | Public sub-processor? |
|---|---|---|---|---|
| Amazon Web Services (AWS) | High | Primary cloud — compute, storage (S3), KMS, secrets; majority of customer data. AWS Textract used for optical character recognition of submitted documents. | CTO | Yes — see Sub-processor List |
| Vultr | High | Secondary cloud — Vultr Cloud Compute, Vultr Bare Metal, Vultr Object Storage, Vultr Kubernetes Engine (VKE) where applicable. Hosts a portion of production compute and database workloads alongside AWS. | CTO | Yes — see Sub-processor List |
| Microsoft 365 (Outlook, SharePoint, OneDrive) | High | Workforce email, document store, internal records. | CISO | No |
| Slack | Medium | Workforce messaging and collaboration — internal communications, incident-response channels, deploy/change notifications, and approval workflows. Corporate-IT scope; no customer data processed as a sub-processor. | CISO | No |
| Rippling | High | IdP / SSO, MDM, EDR, HRIS — workforce identity and personnel records. | CISO | No |
| CrowdStrike Falcon | Medium | Runtime threat detection for production hosts, containers, and the Kubernetes control plane (Falcon sensor on production compute). Security-tooling scope — receives production system/runtime telemetry for detection only; no production credentials and no customer data processed as a sub-processor. | CISO | No |
| GitHub (incl. Advanced Security, Dependabot, Actions) | High | Source code, continuous-integration and continuous-delivery pipelines, build artifacts, and vulnerability findings. | CTO | No |
| Linear | Medium | Issue tracking, intake-form destinations. | CTO | No |
| Better Stack | Medium | Logs, uptime, on-call paging. | CISO | No |
| Vanta | Medium | Compliance automation, control evidence, vendor inventory mirror. | CISO | No |
| Dashlane | Medium | Workforce password manager. | CISO | Yes — see Sub-processor List |
| HashiCorp Vault (self-hosted on Vultr) | High | Cross-cloud secrets-of-record for production — static secrets, dynamic secrets (DB / cloud-IAM credentials), PKI, Transit-engine application-layer encryption keys. Workload auth via Vault AWS / Kubernetes / AppRole / OIDC methods. Runs on Vultr Cloud Compute / VKE; HashiCorp is a software vendor only (Vault OSS / Enterprise license), not a sub-processor. | CTO + CISO | No — self-hosted on Vultr (already listed). HashiCorp’s role is software-licensor only. |
| Checkr | Medium | Pre-employment background screening (CRA). | CHRO | No |
| HubSpot | Medium | CRM, marketing, sales pipeline. | CEO / GTM | No |
| Snyk | Medium | SCA / dependency scanning. | CTO | No |
| Semgrep | Low | SAST / static application security testing on every pull request. Open-source and self-hosted. | CTO | No |
| Aqua Security Trivy | Low | Container, infrastructure-as-code, secret, misconfiguration, and license scanning. Open-source and self-hosted. | CTO | No |
| Gitleaks | Low | Secret scanning on every change (CI). Open-source and self-hosted. | CTO | No |
| VGC LLP | Medium | Outside General Counsel. | CEO | No |
| Anthropic (Claude API / Enterprise) | High | Third-party AI model provider — used in customer-facing product features and for internal tooling. Listed on the Sub-processor List. | CTO + CISO + GC | Yes |
| OpenAI (ChatGPT Enterprise / API) | High | Third-party AI model provider — used in customer-facing product features and for internal tooling. Listed on the Sub-processor List. | CTO + CISO + GC | Yes |
| xAI (Grok API / Enterprise) | High | Third-party AI model provider — used in customer-facing product features and for internal tooling. Listed on the Sub-processor List. | CTO + CISO + GC | Yes |
| Cerebras (cerebras.ai inference) | High | Third-party AI inference provider — used in customer-facing product features and for internal tooling. Listed on the Sub-processor List. | CTO + CISO + GC | Yes |
| Portkey AI | High | LLM-gateway service operated between Neuroscale services and upstream AI model providers. Customer prompts and model outputs transit the gateway. | CTO + CISO + GC | Yes — see Sub-processor List |
| WorkOS | High | Authentication, single sign-on, and organization and membership management for the customer-facing services. | CISO | Yes — see Sub-processor List |
| Resend | High | Transactional email delivery for product and operational notifications. Processes recipient email addresses and message content. | CTO + CISO | Yes — see Sub-processor List |
| Nylas | High | Email-account sync and send-on-behalf-of for outreach features. Processes connected-mailbox content including candidate correspondence. | CTO + CISO | Yes — see Sub-processor List |
| Unipile | High | LinkedIn-account connection and messaging for outreach features. Processes candidate LinkedIn profile and messaging data. | CTO + CISO | Yes — see Sub-processor List |
| OVH US | High | Object storage for candidate profile/avatar images (US region). | CTO | Yes — see Sub-processor List |
| Stripe | High | Subscription billing and payment processing. Processes customer billing-contact identifiers and payment metadata; no card data stored by Neuroscale. | CFO + CTO | Yes — see Sub-processor List |
| Temporal Cloud | High | Background workflow orchestration. Workflow payloads may include Customer Personal Data. | CTO + CISO | Yes — see Sub-processor List |
| Vercel | High | Frontend hosting and edge runtime for the customer-facing services. | CTO | Yes — see Sub-processor List |
| Cloudflare | High | Cloudflare One (Gateway, Access, WARP) for workforce networking and Zero Trust access control; Cloudflare Tunnel for ingress to deployed services. | CISO + CTO | Yes — see Sub-processor List |
| Tailscale | High | Restricted-use VPN for production-infrastructure access (Engineering On-call and authorized engineers); break-glass / bastion path to production. | CTO + CISO | Yes — see Sub-processor List |
| People Data Labs | High | Person-profile enrichment used in customer-facing product features. | CTO + GC | Yes — see Sub-processor List |
| RocketReach | High | Contact-discovery lookups used in customer-facing product features. | CTO + GC | Yes — see Sub-processor List |
| Kickbox | Medium | Email-address deliverability validation. | CTO | Yes — see Sub-processor List |
| NumVerify (APILayer) | Medium | Phone-number validation and carrier lookup. | CTO | Yes — see Sub-processor List |
| FireCrawl | Medium | Retrieval of public-web content in support of product import features. No Customer Personal Data is transmitted to FireCrawl. | CTO | No |
| Perplexity | Medium | LLM-powered web-search/answer API used for retrieval of public-web content in support of product import features. No Customer Personal Data is transmitted to Perplexity. | CTO | No |
| Logo.dev | Low | Company-logo lookup by domain. No Personal Data or Customer Personal Data is transmitted. | CTO | No |
| Bright Data | Low | Residential-proxy network used for collection of public-web content. No Customer Personal Data is transmitted. | CTO | No |
| Advantage Partners | Medium | External auditor — SOC 2 / ISO 27001 attestation. Receives the System Description, Controls Inventory, evidence pack, and Confidential business information about Neuroscale’s controls during fieldwork. No production access; no Customer Personal Data. | CISO | No |
| Horizon3 (horizon3.ai) | Medium | Third-party penetration-testing vendor. Receives time-bounded production-environment access under written scope letter; no persistent access. | CISO | No |
Documentation kept on file (per vendor)
See Vendor Risk Assessment → Documentation kept on file.Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |