# Confidentiality and Confidential Privacy Policy

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This policy governs confidential information, restricted personal information, proprietary information, and secrets handled by NEXQ, personnel, contractors, vendors, and integrated systems.

## 1. Purpose
Confidentiality protects users, patients, customers, employees, intellectual property, trade secrets, security information, and regulated records. Confidential data must be handled only for authorized business purposes and only by people and systems with a need to know.

## 2. Confidential data classes
| Class | Examples | Minimum handling rule |
| --- | --- | --- |
| Public | published policy pages, approved marketing pages | approved disclosure only |
| Internal | operating procedures, ordinary business records | workforce and approved vendors only |
| Confidential | customer data, contracts, financial records, product roadmaps, nonpublic security information | least privilege, access logging, encryption in transit and at rest where feasible |
| Restricted | health data, PHI, government IDs, credentials, children’s data, precise location, biometric data, trade secrets, unreleased vulnerability details | explicit approval, heightened security, limited retention, incident escalation |

## 3. Duties
Personnel and vendors must protect confidential information, use it only for authorized purposes, avoid unauthorized disclosure, report suspected incidents immediately, and return or destroy information at termination or contract end unless retention is required.

## 4. Need-to-know access
Access to confidential or restricted information requires a legitimate business purpose, role-based permission, authentication, periodic review, and revocation when no longer needed.

## 5. Confidential health and patient data
Health data, PHI, and patient information must be handled under applicable law, customer instructions, BAAs, minimum necessary principles, audit controls, and approved clinical workflows. Do not use patient data for marketing, model training, or product development unless specifically authorized, lawful, and documented.

## 6. AI tools and confidential data
Confidential data may not be entered into external AI tools unless the tool has been reviewed, approved, and configured to prevent unauthorized retention, training, disclosure, or cross-customer use. AI outputs that contain confidential data inherit the same classification.

## 7. Legal requests and compelled disclosures
Legal demands must be referred to legal/compliance. Unless prohibited, NEXQ will seek to provide notice to affected customers or users and challenge overbroad requests where appropriate.

## 8. Review and enforcement
Violations may result in access removal, contract remedies, discipline, reporting to customers or regulators, and legal action. The policy owner reviews this policy at least annually and after material incidents.
