# Artificial Intelligence Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Scope
This policy governs generative AI, predictive AI, rules engines, automated decision systems, ranking/recommendation systems, machine-learning models, embeddings, model monitoring, AI agents, model vendors, AI-assisted support, clinical or health AI, employment tools, credit/financial tools, education tools, and AI features integrated into websites, web apps, mobile apps, APIs, and internal systems.

## 2. Governance model
Use the NIST AI Risk Management Framework as the operating structure: govern, map, measure, and manage. Each AI system must be recorded in the AI system register with owner, purpose, model/vendor, input data, output use, user population, affected rights, risk tier, testing evidence, monitoring plan, incident path, and retirement plan.

## 3. Prohibited or restricted uses
Without written executive, legal, privacy, and security approval, do not use AI to make or materially influence employment, housing, lending, credit, insurance, education, healthcare, criminal justice, essential-service, or similarly consequential decisions. Do not use AI for deceptive impersonation, undisclosed surveillance, biometric identification in sensitive contexts, unlawful discrimination, unauthorized practice of medicine or law, or circumvention of safety controls.

## 4. Consequential decisions and ADMT
For automated decision-making in consequential contexts, complete an impact assessment before deployment. Minimum controls include purpose limitation, data minimization, bias/fairness testing, accuracy evaluation, representative test data, human review, meaningful notice, appeal or contest process where required, opt-out where required, logging, and vendor contract controls. Colorado’s 2026 ADMT Act and California’s 2025 CCPA rulemaking require special monitoring for future effective dates and implementation details.

## 5. Data use and model training
AI systems must not train on customer confidential data, PHI/ePHI, consumer health data, student data, financial data, children’s data, source code, trade secrets, or personal data unless the contract, notice, consent/legal basis, security controls, and retention policy expressly permit the use. Maintain opt-out and deletion paths for prompts, files, embeddings, fine-tuning sets, evaluation sets, and logs.

## 6. Transparency and user controls
Where AI is used in user-facing features, disclose material AI involvement when required or when omission would be misleading. Provide appropriate instructions, limitations, human-contact paths, and reporting channels for harmful, inaccurate, biased, unsafe, or privacy-invasive outputs.

## 7. Accuracy, safety, and red teaming
Before launch, evaluate hallucination, bias, privacy leakage, prompt injection, jailbreaking, unsafe outputs, security misuse, copyrighted-content risk, clinical risk, downstream user reliance, adversarial inputs, and model drift. Keep test sets, results, mitigations, approvals, and known limitations.

## 8. Health, clinical, and FDA-regulated AI
AI that supports diagnosis, treatment, monitoring, triage, clinical decision support, medical-device functions, or software as a medical device requires FDA and clinical-safety review. No AI output should be described as medical advice, diagnostic, FDA-cleared, or clinically validated unless that statement is supported by regulatory and clinical evidence.

## 9. Vendor and open-source controls
AI vendors and open-source model deployments require security review, privacy review, licensing/IP review, data processing terms, retention and deletion terms, audit rights, subprocessor transparency, incident notice, model update notice, and restrictions on training or secondary use.

## 10. Incident handling
AI incidents include privacy leakage, prompt-injection compromise, discriminatory output, unsafe clinical/financial/legal advice, security misuse, harmful automation, model exfiltration, copyright leakage, unauthorized training, and material inaccuracy. Escalate under the Incident Response Policy.
