Register Owner: CISO and CFO
Effective Date: May 16, 2026
Reviewed: Quarterly, reconciled against the Vendor Inventory and Vanta
Next Review: June 30, 2026 (Q2 2026 cycle — lands inside the initial Type II window)
Effective Date: May 16, 2026
Reviewed: Quarterly, reconciled against the Vendor Inventory and Vanta
Next Review: June 30, 2026 (Q2 2026 cycle — lands inside the initial Type II window)
Why some reviews are scheduled inside the initial Type II window. The Vendor Risk Assessment procedure was effective 2026-05-08, which would put every “first annual review” 12 months out (2027-05-08) — outside the initial Type II observation window (June 22 – September 22, 2026). To produce CC9.2 operating-effectiveness evidence inside the initial window, the six most-Confidential-touching High-tier vendors are reviewed early (June – August 2026). The remaining 12 High-tier vendors are reviewed inside the first subsequent 12-month window (Sep 22, 2026 – Sep 22, 2027) on their natural 12-month cadence from the procedure effective date.
Initial Type II window — early reviews (June – August 2026)
Six High-tier vendors are reviewed early so CC9.2 has operating evidence inside the 3-month initial window. The reviewer produces a Vendor Annual Review Note per the Vendor Risk Assessment procedure → Annual review note and files it in SharePoint Evidence Library / Vendor Reviews / 2026 /<vendor>.
| Vendor | Tier | Due | Reviewer | Why prioritized |
|---|---|---|---|---|
| Amazon Web Services (AWS) | High | 2026-06-30 | CISO + CTO | Primary cloud — majority of Confidential customer data; widest attack surface; largest subservice-organization reliance. |
| Vultr | High | 2026-07-15 | CISO + CTO | Secondary cloud — Vault cluster + a portion of production compute / database. Subservice-organization reliance. |
| Rippling | High | 2026-07-31 | CISO + CHRO | IdP / SSO / MDM / EDR / HRIS — gates workforce access to production; personnel records. |
| HashiCorp (Vault license) | High | 2026-08-15 | CISO + CTO | Software vendor for the cross-cloud secrets-of-record. License posture + vendor security narrative. |
| Anthropic | High | 2026-08-30 | CISO + GC | Upstream AI provider with the largest share of customer-content-bearing model traffic. |
| OpenAI | High | 2026-08-30 | CISO + GC | Upstream AI provider — second-largest share; both reviewed together to capture the AI-provider-class control surface. |
First subsequent 12-month window — natural-cadence reviews (Sep 2026 – Sep 2027)
The remaining 12 High-tier vendors are reviewed inside the first subsequent window on the natural 12-month cadence from the procedure effective date. Dates below are targets; CISO + CFO confirm at the ISMS Management Review preceding each due date.| Vendor | Tier | Due (target) | Reviewer |
|---|---|---|---|
| Microsoft 365 | High | 2026-09-30 | CISO |
| GitHub (incl. Advanced Security, Dependabot, Actions) | High | 2026-10-31 | CISO + CTO |
| xAI | High | 2026-11-30 | CISO + GC |
| Cerebras | High | 2026-12-31 | CISO + GC |
| Portkey AI | High | 2027-01-31 | CISO + GC |
| WorkOS | High | 2027-02-15 | CISO |
| Resend | High | 2027-02-28 | CISO + CTO |
| Temporal Cloud | High | 2027-03-15 | CISO + CTO |
| Vercel | High | 2027-03-31 | CISO + CTO |
| Cloudflare | High | 2027-04-15 | CISO + CTO |
| People Data Labs | High | 2027-04-30 | CISO + GC |
| RocketReach | High | 2027-05-08 | CISO + GC |
Medium-tier — biennial cadence
The Vendor Risk Assessment procedure sets Medium-tier vendors at a 2-year re-review cadence. First biennial cycle is 2028-05-08 unless an intervening trigger (material change in scope, security incident, contract renewal) accelerates a Medium-tier review. The Medium-tier vendor list lives in Vendor Inventory; no per-vendor schedule is published here for Medium tier — the trigger-driven model is sufficient on a biennial cadence.Triggers — out-of-cycle reviews (any tier)
A vendor review is performed out-of-cycle on any of:- Material change in vendor scope (new data class processed, new production-credential grant)
- Vendor security incident affecting Neuroscale data
- Contract renewal or DPA refresh
- Vendor SOC 2 / ISO 27001 attestation lapse
- Vendor M&A event materially changing the entity
- Sub-processor change in the vendor’s stack that affects Neuroscale’s flow-down obligations
Evidence
For each review:- Vendor Annual Review Note (per the procedure) committed to SharePoint Evidence Library / Vendor Reviews /
<YYYY>/<vendor>and mirrored in the Vanta vendor file. - Linear ticket opened by the reviewer at start; closed on note commit.
- Vendor-side attestation refresh (SOC 2 Type II report, ISO 27001 cert, DPA) on file with date stamped in the note.
Cross-references
- Third-Party Management Policy — the source obligation
- Vendor Risk Assessment procedure — the operating procedure
- Vendor Inventory — the canonical vendor list and tiering
- Compliance Calendar → Annual — the cadence-level commitment
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 16, 2026 | Initial schedule. Six High-tier vendors pulled into initial Type II window; 12 remaining High-tier on natural cadence in subsequent window. | Cameron Wolfe | Ishan Jadhwani |