# Trust and Security Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Purpose
This Trust and Security Policy describes our baseline security, privacy, governance, and assurance program. It should be published only after confirming that every stated control is implemented or clearly labeled as planned.

## 2. Security framework
We align governance to recognized frameworks such as NIST Cybersecurity Framework 2.0 and NIST Privacy Framework. The program includes governance, risk management, asset inventory, identity and access management, data security, vulnerability management, secure development, third-party risk, incident response, recovery, privacy engineering, and executive oversight.

## 3. Administrative safeguards
- Security and privacy ownership assigned to named roles.
- Workforce onboarding, training, acceptable use, confidentiality commitments, and offboarding.
- Risk assessments for new products, vendors, AI systems, regulated data, and material changes.
- Policies reviewed at least annually or after material legal, product, vendor, or security changes.

## 4. Technical safeguards
- MFA for privileged and remote access.
- Least-privilege access and periodic access reviews.
- Encryption in transit and at rest where appropriate.
- Logging, monitoring, alerting, and incident escalation.
- Vulnerability scanning, dependency review, patching, and penetration testing appropriate to risk.
- Secrets management, code review, branch protection, CI/CD controls, and infrastructure-as-code review.

## 5. Product and SDLC controls
Security and privacy review should occur at design, implementation, pre-launch, and post-launch. New features must complete data-flow mapping, threat modeling, privacy impact review, consent/notice review, vendor/SDK review, AI review where applicable, and accessibility review.

## 6. Third-party assurance
Vendors must be risk-ranked, reviewed before onboarding, contractually bound to security/privacy obligations, monitored during use, and offboarded safely. High-risk vendors require evidence such as security reports, policies, certifications, penetration-test summaries, or customer-audit materials.

## 7. Public claims
Do not publish claims such as “bank-grade security,” “military-grade encryption,” “HIPAA compliant,” “SOC 2 certified,” “ISO certified,” “FDA compliant,” “quantum-impervious,” or “irreversibly deidentified analytics” unless evidence supports the exact claim and legal approves the wording.

## 8. Vulnerability disclosure
Maintain a safe channel for vulnerability reporting. Do not threaten good-faith researchers who comply with the policy. Triage, remediate, and communicate according to risk, exploitability, legal obligations, and customer commitments.
