← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Incident Response and Breach Notification Policy

Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices

1. Purpose

This policy governs security incidents, privacy incidents, unauthorized data access/disclosure, ransomware, business email compromise, lost devices, cloud misconfiguration, vendor incidents, AI incidents, medical/clinical safety events, and suspected breach-notification events.

2. Incident categories

Category Examples Escalation
Security malware, credential compromise, vulnerability exploitation, DDoS Security lead and incident commander
Privacy unauthorized access, disclosure, deletion failure, wrong-recipient email Privacy/legal immediately
Health/HIPAA/consumer health PHI/ePHI, SUD/Part 2, consumer health data, reproductive health data Privacy/legal/healthcare compliance immediately
Financial/GLBA/payment customer financial records, payment data, bank/credit data Legal/security/finance immediately
Student/FERPA education records, school data Legal/customer success/privacy immediately
AI harmful automation, privacy leakage, biased consequential decision, prompt-injection compromise AI governance/security/legal
Medical device/clinical patient safety, device malfunction, diagnostic support error Clinical/regulatory/security/legal

3. First-hour actions

Preserve evidence, contain the issue, stop unsafe processing, assign an incident commander, open privileged legal/security workspace, record times, identify affected systems, prevent further access, and notify legal/privacy/security leadership. Do not externally characterize an incident as a “breach” until legal makes the determination.

4. Notification analysis

Legal must assess federal/state breach laws, HIPAA Breach Notification Rule, 42 CFR Part 2, FTC Health Breach Notification Rule, GLBA Safeguards Rule notification requirements, state consumer-health-data laws, biometric laws, FERPA/customer terms, payment-card rules, DOJ Data Security Program, app-store rules, regulator notice, customer notice, law-enforcement coordination, and contractual timelines.

5. Evidence and documentation

Maintain an incident chronology, forensic evidence, affected-data analysis, impacted-person counts, containment steps, eradication, recovery, root cause, control gaps, approvals, external communications, regulatory notices, customer notices, and post-incident remediation.

6. Communications

Use approved templates. Communications must be accurate, non-speculative, concise, and aligned with legal determinations. Avoid statements that understate risk, blame users/vendors prematurely, promise outcomes not yet verified, or disclose sensitive security details.

7. Post-incident remediation

After containment and recovery, conduct a lessons-learned review, update risk registers, revise policies, patch controls, update vendor requirements, train affected teams, and verify remediation evidence.