# Subprocessor and Vendor Transparency Policy

> **Customization required.** This template is provided for policy operations and counsel review. Replace every `NEXQ-reviewed value`, verify every factual statement, and confirm applicability before publication. The template is not legal advice and does not create an attorney-client relationship.

**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Owner:** NEXQ privacy, security, and legal operations  
**Applies to:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services

This policy explains how NEXQ manages subprocessors and vendors that process personal information.

## 1. Vendor categories
Subprocessors may include cloud hosting, infrastructure, monitoring, analytics, communications, support, payments, identity, security, AI model providers, data storage, and healthtech integration vendors.

## 2. Review
Before engagement, vendors are reviewed for security, privacy, confidentiality, data location, subprocessors, breach notice, deletion, audit support, and regulatory requirements.

## 3. Contract controls
Vendor agreements must include confidentiality, data processing instructions, security safeguards, breach notice, subprocessors, retention/deletion, audit or assurance, and restricted use terms.

## 4. Customer notice
Maintain current subprocessor list at https://nexq.us/legal-policy-bundle/site/policies/subprocessor-policy.html and provide notices of material changes where required by contract or law.

## 5. High-risk vendors
AI, health, biometric, children’s, advertising, payment, and infrastructure vendors require enhanced review.
