# Open Source, Third-Party Software, and Notices Policy

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This policy governs open source software and third-party components used by NEXQ.

## 1. Approval
Open source dependencies must be reviewed for license, security, maintenance, provenance, export controls, and compatibility with product distribution.

## 2. License compliance
Maintain notices, attribution, license texts, source-offer obligations, and distribution requirements. Copyleft licenses require legal review before incorporation into distributed software.

## 3. Security
Dependencies must be scanned, pinned where appropriate, updated, and monitored for vulnerabilities and malicious packages.

## 4. AI-generated code
AI-generated code must be reviewed for license risk, security, quality, and originality before use.

## 5. Notices
Publish required notices at https://nexq.us/legal-policy-bundle/site/policies/open-source-policy.html or inside the app.

## Audit addendum
Open-source intake must include license review, dependency scanning, provenance, vulnerability monitoring, SBOM generation where appropriate, export-control review, AI/model license review, and replacement/patch plans for abandoned dependencies.
