Authorship. Drafts are written by the on-call lead, reviewed by the CISO, and approved by the CTO or CEO depending on blast radius. For any regulatory notice, the General Counsel approves before the message leaves Neuroscale.
Conventions
- Replace
{{placeholder}}fields. Do not leave any placeholder in a sent message. - Use UTC timestamps. Avoid relative phrasings (“earlier today”) in formal notices — they’re ambiguous.
- Be a good witness: state what is known, what is not yet known, and what we are doing.
- Do not speculate, attribute blame, or describe the technical exploit until cleared.
Template 1 — Initial incident notification (customer)
Subject:[ACTION REQUIRED]Notification of a security incident affecting your Neuroscale account Dear{{customer_name}}, We are writing to inform you of a security incident that affects, or may affect, your Neuroscale account. What happened. At approximately{{detection_timestamp_utc}}UTC, Neuroscale detected{{short factual description, no speculation}}. Our investigation began immediately. What we know now.{{factual summary — what was confirmed, what data categories may be involved, what was contained}}. We do not yet know{{open items}}; we will share more when those are confirmed. What we are doing.{{containment + recovery steps already taken}}. We have engaged{{internal IR team / external IR firm if relevant / law enforcement if relevant}}. What you should do.{{specific recommended actions, if any: rotate API keys, review audit logs, enable additional MFA factors}}. If no action is required, state that explicitly. Where to follow updates. Our status page at{{status_page_url}}has the latest. The next update will be posted by{{commitment_time_utc}}UTC. If you have questions, contact us at{{contact_address}}. Your dedicated contact is{{csm_name}}({{csm_email}}). Sincerely,{{signatory_name}},{{signatory_title}}, NEUROSCALE LLC
Template 2 — Status update (during the incident)
Subject: Update — Security incident affecting your Neuroscale account ({{incident_id}}) Dear{{customer_name}}, This is an update to our notice of{{prior_notice_date}}regarding{{incident_id}}. What is new since the last update.{{factual update — confirmed root cause, additional impact discovered, additional remediation completed}}. Current state.{{services restored / partially restored / still impaired}}. Next milestone.{{e.g., full restoration ETA, next investigation milestone}}by{{time_utc}}. The next update will be posted by{{commitment_time_utc}}UTC. The status page at{{status_page_url}}has live information between updates. Sincerely,{{signatory_name}}, NEUROSCALE LLC
Template 3 — Post-incident summary / post-mortem (customer-facing)
Subject: Post-incident summary —{{incident_id}}Dear{{customer_name}}, The incident referenced as{{incident_id}}was resolved on{{resolution_timestamp_utc}}UTC. This summary describes what happened, what was affected, what we did, and what we are changing. Timeline (UTC).Impact.
{{detection_time}}— Detection of{{indicator}}.{{containment_time}}— Containment via{{action}}.{{eradication_time}}— Root cause{{cause}}was eradicated.{{recovery_time}}— Service was restored.{{resolution_time}}— Final monitoring window completed; incident closed.{{services / customers / data scope affected}}. Specifically for{{customer_name}}:{{customer-specific impact statement}}. Root cause.{{factual, blameless, technically specific}}. Remediation.{{what was done to make this no longer possible}}. Preventive measures.{{ongoing changes — code, process, monitoring, training}}.{{commit dates where credible}}. Your records. A copy of the SHA-256 manifest of any data exported as part of recovery is available via the Customer Data Export procedure on request. If you have questions, please contact{{csm_email}}. We appreciate your trust and are sorry for the impact. Sincerely,{{signatory_name}}, NEUROSCALE LLC
Template 4 — Regulatory notice (GDPR Art. 33 — supervisory authority)
The Art. 33 supervisory-authority notice is filed by the General Counsel using the relevant authority’s online form (e.g., the lead supervisory authority’s breach-reporting portal). It contains, at minimum, the elements required by Art. 33(3): nature of the breach, categories and approximate number of data subjects and records concerned, contact details of the DPO / contact point, likely consequences, and measures taken or proposed to address and mitigate the breach. Neuroscale records every Art. 33 / Art. 34 / state-AG / NYDFS / SEC submission in the regulatory-correspondence log per the Records Retention Schedule.
Template 5 — Status page entry
Title:{{Investigating | Identified | Monitoring | Resolved}}:{{short customer-facing summary}}Body: At{{timestamp_utc}}UTC, we{{action}}.{{customer-facing impact}}.{{next update commitment}}.
Template 6 — Press hand-off (no comment)
All employees direct inbound press inquiries to press@neuroscale.ai. Do not say “no comment.” Use the standard hand-off:“Thanks for reaching out. I’ll connect you with our communications team — they’ll respond at press@neuroscale.ai. Best email for them to reach you?”
Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |