# Implementation Guide — Audited Release

## 1. Install site files
Copy `site/`, `forms/`, `snippets/`, and generated `site/policies/*.html` into your website/app static assets or CMS.

## 2. Configure placeholders
Update `config/policy-config.json` and every `NEXQ-reviewed value` in Markdown/HTML/forms/snippets. Do not publish with placeholders.

## 3. Wire privacy operations
- DSAR endpoint: implement secure identity verification, CSRF, server-side validation, rate limits, audit logging, encrypted storage, and role-based access.
- Deletion: map deletion across source systems, vendors, backups, logs, and suppression lists.
- Appeals: route state-law appeals to legal/privacy review.
- Authorized agents: implement proof-of-authorization logic.

## 4. Wire cookie and tracking controls
- Keep optional analytics/advertising scripts as `type="text/plain"` with `data-consent` and `data-src` until consent is granted.
- Test GPC/universal opt-out signals.
- Disable optional trackers on regulated sensitive flows unless approved.
- Maintain `tracking-technology-inventory.csv`.

## 5. Complete regulated-sector gates
Run the applicable checklists before launch: HIPAA/healthcare, consumer health data, FDA/healthtech, GLBA/financial, FERPA/student, AI/ADMT, post-quantum crypto, app-store privacy, and vendor risk.

## 6. Evidence package
Maintain screenshots, code scans, tag scans, app-store forms, contracts, consent logs, vendor reviews, DPIAs/PIAs, AI assessments, retention schedules, deletion tests, and incident tabletop results.
