Information Security Policy (ISP)

At Neurolabs, we strive to implement extensive and reasonable measures to prevent unauthorized access, modification, destruction, or damage of your personal information and data stored using our Services. We give careful consideration to how we process and store your data, and we know that the security of Cloud-based services is paramount to their reputation and this policy covers all information entrusted to us by our customers.

This version 1 of this policy was last updated on May 30, 2025. Historic versions can be obtained by contacting us. 

This policy and our procedures are aligned with ISO/IEC 27001:2022.

1. Security Culture & People

1.1 Security Awareness & Training All employees complete mandatory security awareness training at onboarding and are required to review core policies annually. Training includes role-specific security practices. 

1.2 Clean Desk & Remote Work Practices Neurolabs expects employees to maintain secure workspaces, particularly in remote or co-working environments.
This includes:
a) Locking screens when away from devices
b) Storing sensitive notes or printed materials securely
c) Avoiding written passwords or access credentials in plain sight
d) Ensuring work laptops are physically secure when not in use

1.3 These practices help reduce the risk of unauthorized access and support broader data protection efforts.

2. Assets & Access Management

2.1 Asset Management Neurolabs maintains an asset inventory of company-owned devices used to access customer or production environments. Devices must be enrolled in mobile device management (MDM) and meet minimum security requirements. Asset tracking is managed in line with our Asset Management Policy.

2.2 Access Control & Authentication Neurolabs applies role-based access principles to its systems and infrastructure and is aligning toward a fully enforced least-privilege model. Multi-factor authentication (MFA) is enabled on core constituent systems utilized within the Neurolabs tech stack, with additional coverage in progress. Access provisioning is handled through secure identity tools, and access reviews are conducted periodically. Access is revoked promptly following employment changes, with improvements to automate this further underway.

2.3 Remote Access Security Remote access to Neurolabs systems must meet minimum security requirements. Key controls include:
a) Use of VPN or secure tunnels when accessing production or customer environments
b) Multi-factor authentication (MFA) on all remote-access tools
c) No simultaneous connections to unsecured networks during active sessions
d) All laptops must have up-to-date antivirus and endpoint protection

2.4 Remote access controls are periodically reviewed as part of access management and DevSecOps practices.

3. Technical Security Controls

3.1 Encryption Practices Neurolabs enforces industry-standard encryption for data security. All customer data is encrypted in transit using TLS 1.2 or higher, and at rest using strong encryption (e.g., AES-256) via cloud-native encryption tooling. Encryption keys are managed using AWS or GCP Key Management Services (KMS). Full-disk encryption is enabled for company-issued laptops. 

3.2 Logging & Monitoring Practices Application and infrastructure logs may include indirect customer identifiers (e.g., large corporation names or product IDs) are pseudonymized when possible and do not contain directly identifiable personal data. Logs are used for debugging, performance monitoring, and reliability.

3.3 Data Classification, Retention, and Protection Neurolabs aligns retention periods with contractual requirements. Customer data is protected in line with encryption and access controls; formal classification tiers are in development.

3.4 Vulnerability Management Vulnerabilities are tracked and remediated using industry tools. Patch prioritization follows severity and exploitability.

4. Operational Security

4.1 Incident Response & Breach Notification Neurolabs maintains an incident response process designed to detect, respond to, and recover from security incidents in a timely and effective manner. Incidents are triaged by severity and escalated to the appropriate personnel. In the event of a personal data breach, Neurolabs will notify affected customers without undue delay and, where legally required, within 72 hours of becoming aware of the incident. 

4.2 Backup & Recovery Neurolabs leverages managed cloud infrastructure (AWS and GCP) to ensure resilience and durability of production data. Backups are performed automatically via cloud-native snapshot and replication tools for key data stores. Retention periods are based on platform defaults or contractual requirements. Backup integrity and restoration procedures are reviewed periodically as part of infrastructure reviews. 

4.3 Business Continuity & Disaster Recovery Business continuity is supported by Neurolabs’ distributed architecture, regional tenancy model, and cloud-native failover mechanisms. In the event of service disruption, recovery procedures prioritize restoration of customer access and system integrity. Roles and escalation paths are defined in our internal incident response and DevOps playbooks. Formal business continuity and disaster recovery documentation is in progress.

4.4 Physical Security Neurolabs does not operate data centers and relies on secure cloud infrastructure. Physical access to employee laptops and company devices is restricted through company-managed device policies, full-disk encryption, and strong authentication. Office space and co-working environments are access-controlled.

4.5 Regional Tenancy & Cloud Hosting Neurolabs provisions customer environments according to contractual data residency requirements but all customers are hosted in EU or UK-based cloud environments by default. Regional tenancy is enforced through deployment controls and monitored for configuration drift as part of our DevSecOps practices. Cross-border data transfers are safeguarded through Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or equivalent mechanisms.

4.6 Secure Development Secure development practices are integrated into Neurolabs' engineering workflows. Source control, code review, and CI/CD pipeline security are in place; formal SDLC policy is planned.

5. Third-Party Risk & Legal Compliance

5.1 Vendor & Subprocessor Oversight All third-party subprocessors are vetted under our Vendor Management Policy. Due diligence includes:
a) Data residency assessment
b) Evaluation of compliance with SCCs/IDTA
c) Review of security posture and incident history
d) Execution of data protection agreements with confidentiality obligations

5.2 Vendor Management (Expanded) Vendor risk is managed through due diligence prior to onboarding and monitored through the Vendor Management Policy. All subprocessors with access to Customer Data are contractually required to meet equivalent security and privacy standards under SCCs, IDTA, or applicable law. 

5.3 Data Subject Requests As a processor, Neurolabs assists Customers (as controllers) in responding to data subject rights requests but does not respond directly. Where necessary, access, correction, or deletion assistance is provided through platform features or by support teams in line with our data processing agreement.

We help CPG teams see what's really happening on shelf and act on it before it costs them.
Quick links
Execution IntelligenceHow it worksSolutionsWho it's forBlogFAQ's
Company
CareersSign inPrivacy PolicyTerms of service
Ready to see it in action?

Book a walkthrough with our team.

Request a walkthrough
Schedule a call

© 2026 Neurolabs. All rights reserved.

Stay connected:
link
link