Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.
Incident Response and Breach Notification Policy
Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.
Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered:
NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices
1. Purpose
This policy governs security incidents, privacy incidents, unauthorized data access/disclosure, ransomware, business email compromise, lost devices, cloud misconfiguration, vendor incidents, AI incidents, medical/clinical safety events, and suspected breach-notification events.
2. Incident categories
| Category | Examples | Escalation |
|---|---|---|
| Security | malware, credential compromise, vulnerability exploitation, DDoS | Security lead and incident commander |
| Privacy | unauthorized access, disclosure, deletion failure, wrong-recipient email | Privacy/legal immediately |
| Health/HIPAA/consumer health | PHI/ePHI, SUD/Part 2, consumer health data, reproductive health data | Privacy/legal/healthcare compliance immediately |
| Financial/GLBA/payment | customer financial records, payment data, bank/credit data | Legal/security/finance immediately |
| Student/FERPA | education records, school data | Legal/customer success/privacy immediately |
| AI | harmful automation, privacy leakage, biased consequential decision, prompt-injection compromise | AI governance/security/legal |
| Medical device/clinical | patient safety, device malfunction, diagnostic support error | Clinical/regulatory/security/legal |
3. First-hour actions
Preserve evidence, contain the issue, stop unsafe processing, assign an incident commander, open privileged legal/security workspace, record times, identify affected systems, prevent further access, and notify legal/privacy/security leadership. Do not externally characterize an incident as a “breach” until legal makes the determination.
4. Notification analysis
Legal must assess federal/state breach laws, HIPAA Breach Notification Rule, 42 CFR Part 2, FTC Health Breach Notification Rule, GLBA Safeguards Rule notification requirements, state consumer-health-data laws, biometric laws, FERPA/customer terms, payment-card rules, DOJ Data Security Program, app-store rules, regulator notice, customer notice, law-enforcement coordination, and contractual timelines.
5. Evidence and documentation
Maintain an incident chronology, forensic evidence, affected-data analysis, impacted-person counts, containment steps, eradication, recovery, root cause, control gaps, approvals, external communications, regulatory notices, customer notices, and post-incident remediation.
6. Communications
Use approved templates. Communications must be accurate, non-speculative, concise, and aligned with legal determinations. Avoid statements that understate risk, blame users/vendors prematurely, promise outcomes not yet verified, or disclose sensitive security details.
7. Post-incident remediation
After containment and recovery, conduct a lessons-learned review, update risk registers, revise policies, patch controls, update vendor requirements, train affected teams, and verify remediation evidence.