Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.
Quantum and Post-Quantum Cryptography Policy
Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.
Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered:
NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices
1. Scope
This policy governs cryptography, encryption, digital signatures, key exchange, certificates, code signing, encrypted backups, long-retention confidential data, healthcare data, payment and financial data, government-related data, software supply chain security, and post-quantum cryptography planning.
2. Required inventory
Maintain a cryptographic asset inventory that identifies algorithms, protocols, libraries, certificates, keys, hardware/security modules, data protected, retention period, vendor owner, rotation cycle, quantum vulnerability, migration priority, and compensating controls. Prioritize data with a long confidentiality lifetime because “harvest now, decrypt later” risks can affect records that must remain confidential for years.
3. NIST post-quantum standards
Use NIST-approved and production-appropriate standards when available. NIST’s current principal post-quantum standards include FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) for hash-based digital signatures. The organization must not market systems as “quantum-impervious,” “invulnerable,” or “future-proof.” Use “post-quantum migration planning” or “quantum-resistant controls where implemented and verified.”
4. Migration controls
- Inventory public-key cryptography across TLS, SSH, VPN, S/MIME, code signing, JWT/JWS, document signing, backups, IoT/medical devices, mobile apps, APIs, vendor integrations, and embedded systems.
- Classify systems by cryptographic agility and ability to support hybrid or future algorithms.
- Track vendor roadmaps and validate claims with configuration evidence.
- Preserve rollback capability and interoperability testing.
- Monitor performance, key/certificate sizes, side-channel guidance, library maturity, and compliance obligations.
5. Regulated and long-life data
Healthcare, hospital, biometric, genetic, financial, government, defense, children/student, trade secret, and legal data may require higher migration priority. Tie quantum migration to retention schedules and data minimization: deleting data that no longer has a valid retention need reduces quantum-era risk.
6. Audit evidence
Keep crypto inventories, library versions, certificate scans, threat models, migration decisions, exception approvals, vendor attestations, test results, and board/security committee updates. Review at least annually and after relevant NIST, FIPS, browser, operating system, cloud, or vendor updates.