Authorship. Drafts are written by the on-call lead, reviewed by the CISO, and approved by the CTO or CEO depending on blast radius. For any regulatory notice, the General Counsel approves before the message leaves Neuroscale.
Conventions
- Replace {{placeholder}} fields. Do not leave any placeholder in a sent message.
- Use UTC timestamps. Avoid relative phrasings (“earlier today”) in formal notices — they’re ambiguous.
- Be a good witness: state what is known, what is not yet known, and what we are doing.
- Do not speculate, attribute blame, or describe the technical exploit until cleared.
Template 1 — Initial incident notification (customer)
Subject: [ACTION REQUIRED] Notification of a security incident affecting your Neuroscale account
Dear {{customer_name}},
We are writing to inform you of a security incident that affects, or may affect, your Neuroscale account.
What happened. At approximately {{detection_timestamp_utc}} UTC, Neuroscale detected {{detection_description}}. Our investigation began immediately.
What we know now. {{known_facts_summary}}. We do not yet know {{open_items}}; we will share more when those are confirmed.
What we are doing. {{response_steps_taken}}. We have engaged {{parties_engaged}}.
What you should do. {{recommended_actions}}. If no action is required, state that explicitly.
Where to follow updates. Our status page at {{status_page_url}} has the latest. The next update will be posted by {{commitment_time_utc}} UTC.
If you have questions, contact us at {{contact_address}}. Your dedicated contact is {{csm_name}} ({{csm_email}}).
Sincerely,
{{signatory_name}}, {{signatory_title}}, NEUROSCALE LLC
Template 2 — Status update (during the incident)
Subject: Update — Security incident affecting your Neuroscale account ({{incident_id}}) Dear {{customer_name}}, This is an update to our notice of {{prior_notice_date}} regarding {{incident_id}}. What is new since the last update. {{status_update_detail}}. Current state. {{service_state}}. Next milestone. {{next_milestone}} by {{time_utc}}. The next update will be posted by {{commitment_time_utc}} UTC. The status page at {{status_page_url}} has live information between updates. Sincerely, {{signatory_name}}, NEUROSCALE LLC
Template 3 — Post-incident summary / post-mortem (customer-facing)
Subject: Post-incident summary — {{incident_id}} Dear {{customer_name}}, The incident referenced as {{incident_id}} was resolved on {{resolution_timestamp_utc}} UTC. This summary describes what happened, what was affected, what we did, and what we are changing. Timeline (UTC).Impact. {{impact_scope}}. Specifically for {{customer_name}}: {{customer_impact_statement}}. Root cause. {{root_cause_statement}}. Remediation. {{remediation_statement}}. Preventive measures. {{preventive_measures}}. {{commit_dates}}. Your records. A copy of the SHA-256 manifest of any data exported as part of recovery is available via the Customer Data Export procedure on request. If you have questions, please contact {{csm_email}}. We appreciate your trust and are sorry for the impact. Sincerely, {{signatory_name}}, NEUROSCALE LLC
- {{detection_time}} — Detection of {{indicator}}.
- {{containment_time}} — Containment via {{action}}.
- {{eradication_time}} — Root cause {{cause}} was eradicated.
- {{recovery_time}} — Service was restored.
- {{resolution_time}} — Final monitoring window completed; incident closed.
Template 4 — Regulatory notice (GDPR Art. 33 — supervisory authority)
The Art. 33 supervisory-authority notice is filed by the General Counsel using the relevant authority’s online form (e.g., the lead supervisory authority’s breach-reporting portal). It contains, at minimum, the elements required by Art. 33(3): nature of the breach, categories and approximate number of data subjects and records concerned, contact details of Neuroscale’s privacy contact point, likely consequences, and measures taken or proposed to address and mitigate the breach. Neuroscale records every Art. 33 / Art. 34 / state-AG / NYDFS submission in the regulatory-correspondence log per the Records Retention Schedule.
Template 5 — Status page entry
Title: {{status_label}}: {{customer_summary}} Body: At {{timestamp_utc}} UTC, we {{action}}. {{customer_facing_impact}}. {{next_update_commitment}}.
Template 6 — Press hand-off (no comment)
All employees direct inbound press inquiries to press@neuroscale.ai. Do not say “no comment.” Use the standard hand-off:“Thanks for reaching out. I’ll connect you with our communications team — they’ll respond at press@neuroscale.ai. Best email for them to reach you?”
Variables
| Variable | Description |
|---|---|
{{customer_name}} | Recipient customer’s name |
{{detection_timestamp_utc}} | UTC timestamp at which the incident was detected |
{{detection_description}} | Short factual description of what was detected — no speculation |
{{known_facts_summary}} | Factual summary of what is known now — what was confirmed, what data categories may be involved, what was contained |
{{open_items}} | What is not yet known |
{{response_steps_taken}} | Containment and recovery steps already taken |
{{parties_engaged}} | Parties engaged in the response (internal IR team, external IR firm if relevant, law enforcement if relevant) |
{{recommended_actions}} | Specific recommended customer actions, if any (e.g., rotate API keys, review audit logs, enable additional MFA factors) |
{{status_page_url}} | URL of the Neuroscale status page |
{{commitment_time_utc}} | UTC time by which the next update will be posted |
{{contact_address}} | Contact address for customer questions |
{{csm_name}} | Customer success manager’s name |
{{csm_email}} | Customer success manager’s email |
{{signatory_name}} | Name of the message signatory |
{{signatory_title}} | Title of the message signatory |
{{incident_id}} | Incident identifier |
{{prior_notice_date}} | Date of the prior notice being updated |
{{status_update_detail}} | Factual update since the last notice — confirmed root cause, additional impact discovered, additional remediation completed |
{{service_state}} | Current state of affected services (e.g., restored, partially restored, still impaired) |
{{next_milestone}} | Next milestone (e.g., full restoration ETA, next investigation milestone) |
{{time_utc}} | UTC time of the next milestone |
{{resolution_timestamp_utc}} | UTC timestamp at which the incident was resolved |
{{detection_time}} | Timeline — detection time (UTC) |
{{indicator}} | Timeline — detected indicator |
{{containment_time}} | Timeline — containment time (UTC) |
{{action}} | Timeline — containment action; also used in the status-page entry |
{{eradication_time}} | Timeline — eradication time (UTC) |
{{cause}} | Timeline — root cause eradicated |
{{recovery_time}} | Timeline — recovery time (UTC) |
{{resolution_time}} | Timeline — resolution time (UTC) |
{{impact_scope}} | Impact scope — services, customers, and data scope affected |
{{customer_impact_statement}} | Customer-specific impact statement |
{{root_cause_statement}} | Root-cause statement — factual, blameless, technically specific |
{{remediation_statement}} | Remediation statement — what was done to make this no longer possible |
{{preventive_measures}} | Preventive measures — ongoing changes to code, process, monitoring, training |
{{commit_dates}} | Commit dates for preventive measures, where credible |
{{status_label}} | Status-page entry — status label (one of Investigating, Identified, Monitoring, Resolved) |
{{customer_summary}} | Status-page entry — short customer-facing summary |
{{timestamp_utc}} | Status-page entry — UTC timestamp |
{{customer_facing_impact}} | Status-page entry — customer-facing impact |
{{next_update_commitment}} | Status-page entry — next update commitment |
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |