Owner: CISO
Effective Date: 2026-06-05
Reviewed: Annually and on material policy change
Collection surface: Vanta (signed acknowledgement)
Signed-PDF mirror: SharePoint > Production-Access Acknowledgements (
Retention: Term of employment + 7 years
Effective Date: 2026-06-05
Reviewed: Annually and on material policy change
Collection surface: Vanta (signed acknowledgement)
Signed-PDF mirror: SharePoint > Production-Access Acknowledgements (
compliance.paa/active/{{worker}}/) Retention: Term of employment + 7 years
Purpose
This Acknowledgement establishes, in writing, that every worker granted access to Neuroscale’s production environment or to customer data via the Arbi admin/support console has read, understood, and agreed to abide by the controls in the policies listed below — before access is provisioned, and at least once every twelve months thereafter. It serves as evidence for SOC 2 CC6.1/CC6.2 (logical and physical access controls), CC9.2 (vendor and personnel risk), and the Training Catalog → Production-access acknowledgement certification row.Scope
This Acknowledgement must be signed by any Neuroscale employee, contractor, or third party who is granted any of the following:- Access to Neuroscale’s AWS or Vultr production infrastructure (consoles, CLI, or API).
- Access to HashiCorp Vault production paths.
- Access to production databases or production data stores containing customer data.
- Access to the Arbi admin console, support console, or any internal tool that surfaces customer Confidential data (resumes, candidate profiles, recruiter notes, or other Customer Content as defined in the Terms of Service).
Attestation clauses
By signing below, I, {{worker_name}}, in my capacity as {{worker_role}} at or working for NEUROSCALE LLC (“Neuroscale”), acknowledge and agree to the following:1. Prerequisites met
I confirm that, before I am granted or renewed in production-scope or customer-data access: a. A Checkr background check at Tier 2 (T2) or higher has returned aclear adjudication for me, or the General Counsel has recorded an individualized-assessment decision in accordance with the FCRA / fair-chance procedures in the Background Checks Procedure. I understand that production-scope access is never granted before T2 clearance per the Onboarding Procedure → Access-grant gate.
b. I have completed production-access training in Vanta as required by the Training Catalog → Production-access training.
2. Least privilege and need-to-know
I understand and agree that: a. My access is limited to the systems and data I need to perform my assigned role. I will not attempt to access systems, environments, or data beyond what has been explicitly provisioned for me per the Access Control Policy → Least privilege. b. Customer Confidential data — including candidate resumes, candidate profiles, and recruiter notes processed through the Arbi platform — is classified Confidential under the Data Management Policy → Data classification and is accessed only on a documented, legitimate work need. I will not browse, export, or copy customer Confidential data beyond what my assigned task requires. c. I will not share my access credentials with anyone, and I will not use another person’s credentials to access Neuroscale systems. All personnel must have a unique user identifier per the Access Control Policy → User access management.3. Credential and secrets protection
I understand and agree that: a. I am responsible for protecting my Neuroscale account credentials and any MFA factors enrolled for my account. If I suspect my credentials or MFA device have been compromised, I will report immediately to security@neuroscale.ai and rotate my credentials per the Access Control Policy → User responsibility for secret authentication information. b. Production secrets live in HashiCorp Vault. Development secrets (non-production) live in the Dashlane Developer vault. I will never store production secrets outside Vault, and I will never use development secrets to access production systems. See Secrets Management → Storage. c. I will never commit a secret to source control — not in application code,.env files, config.yaml, values.yaml, container images, Helm charts, Terraform state, deployment manifests, or CI logs. I understand that Neuroscale’s pre-commit hooks and PR-time secret scanning enforce this, and that violations are flagged immediately. See Secrets Management → Rules and Secure Coding → No secrets in source.
d. I will not pass secrets to AI tools to generate, rotate, or troubleshoot — even briefly. Any secret that has touched an AI prompt is treated as compromised and rotated via Secrets Management → Rotation.
4. Change management and separation of duties
I understand and agree that: a. All production changes must flow through Neuroscale’s standard change-management process: documented in a PR, authorized via an approving review, tested in staging, and deployed through the automatedproduction-release pipeline (GitHub Actions). See Change Management → Standard change and Release Checklist.
b. Separation of duties is enforced for production deployments. The engineer who authors the release-prep PR may not be the same person who approves the production deploy. I will not attempt to self-approve a production-impacting change. See Access Control Policy → Segregation of duties.
c. I will not make out-of-band changes to production systems, infrastructure, or configuration — except under a documented break-glass procedure authorized by the CISO or on-call incident manager, with retroactive emergency-change documentation filed within 24 hours per Change Management → Emergency change.
d. During any active production change-freeze (scheduled pen-test or audit fieldwork window), I will not merge or deploy to production without a freeze-exception authorization per Change Management → Change freeze for scheduled pen-tests and audits.
5. Customer-data handling
I understand and agree that: a. Customer Confidential data I access through production systems or admin/support tooling is handled in accordance with the Data Management Policy → Confidential data at all times. I will not store Confidential customer data on personal devices, personal cloud storage, or removable media. b. Regulated health data must never be uploaded, processed, or stored in Neuroscale systems. Health information is out of scope for all Neuroscale services absent written General Counsel approval and a specific contractual addendum. See Data Management Policy → Definitions. c. Raw customer content is never used to train Neuroscale AI models. All Customer Content destined for training first passes the Deidentification Standard; raw prompts, candidate profiles, and outputs are never fed directly to training pipelines. See AI Acceptable Use Policy → Training data and AI Acceptable Use Policy → Customer prompts and outputs. d. I will not transmit any customer Confidential data to a non-approved AI tool. The list of approved tools is maintained in the AI Acceptable Use Policy → Approved tools.6. Monitoring consent
I acknowledge that: a. My use of Neuroscale production systems and admin/support consoles is logged and monitored. Logged events include user logins, CRUD operations on application objects, security-settings changes, and administrator access to customer data. Each log entry records my user ID, IP address, timestamp, action type, and action object. See Logging & Monitoring → What Neuroscale logs. b. Audit logs of my production activity are retained as security and audit evidence — up to 13 months in queryable/archived storage for security and audit events, and up to 2 years for infrastructure and change logs — in S3 (Object Lock / WORM) for tamper-evident retention. See Logging & Monitoring → Retention. c. I consent to this monitoring as a condition of my production access. This monitoring is consistent with Neuroscale’s Employee Privacy Policy and does not affect my rights under applicable law.7. Incident reporting
I understand and agree that I will promptly report any of the following to security@neuroscale.ai, and for active emergencies also page on-call via the Better Stack on-call schedule:- A suspected or confirmed compromise of my Neuroscale credentials or MFA device.
- A lost or stolen device that has been used to access Neuroscale production systems or customer data.
- Any suspected unauthorized access to Neuroscale systems or customer data — including access by another internal user that appears inconsistent with their role.
- Any other security event, policy violation, security weakness, or suspicious activity I observe.
8. Offboarding and role changes
I understand that: a. My production access will be revoked when my employment or engagement with Neuroscale ends, in accordance with the tiered removal SLA in the Access Control Policy → Removal & adjustment: immediately for involuntary or for-cause separations; by end of last business day for voluntary departures with notice. b. My access will also be reviewed and adjusted — on the same business day — if my role changes in a way that reduces the scope of access I legitimately require, per the Access Control Policy → Access reviews. c. Highly privileged credentials (production-data access, root cloud accounts) will be rotated immediately upon my separation regardless of the reason, per the Access Control Policy → Removal & adjustment.9. Annual re-sign
I understand that this Acknowledgement must be re-signed at least annually, and also upon any material change to the policies referenced herein. My completion is tracked in Vanta; my signed PDF is archived to SharePoint per the retention period stated at the top of this document. See Training Catalog → Annual certifications.Signature
By signing, I confirm that I have read and understood this Acknowledgement, that all clauses above accurately reflect my obligations as a condition of production or customer-data access, and that I will comply with the referenced policies for the duration of my access.| Employment type (employee / contractor / third party) | {{worker_employment_type}} |
| Manager / engagement sponsor | {{manager_name}} |
Variables
| Variable | Description |
|---|---|
{{worker_name}} | Worker’s full legal name |
{{worker_role}} | Worker’s title or role (e.g., “Software Engineer”, “Support Specialist”) |
{{worker_employment_type}} | ”Employee”, “Contractor”, or “Third Party” |
{{manager_name}} | Direct manager’s name (employees) or engagement sponsor (contractors/third parties) |
Cross-references
- Access Control Policy — least privilege, MFA requirements, SoD, removal SLAs.
- Data Management Policy — Confidential classification, data handling rules, health data out-of-scope.
- AI Acceptable Use Policy — approved AI tools, customer data + AI rules, training-data restrictions.
- Secrets Management — Vault, Dashlane, banned patterns.
- Secure Coding — no secrets in source, code-review expectations.
- Change Management — standard and emergency change process, change freeze.
- Release Checklist — pre-merge and pre-deploy gates.
- Logging & Monitoring — what is logged, retention tiers.
- Incident Response Plan — reporting path, severity definitions.
- Onboarding Procedure → Access-grant gate — T2 Checkr clearance + production-access training as prerequisites.
- Training Catalog → Production-access training — training requirement and cadence.
- Training Catalog → Annual certifications — annual re-sign cadence.
- Background Checks Procedure — Checkr tiers and adjudication process.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | 2026-06-05 | Initial version — signable acknowledgement for production and customer-data access; nine attestation clauses grounded in v1.0 policy set | Cameron Wolfe | — pending — |