← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Quantum and Post-Quantum Cryptography Policy

Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices

1. Scope

This policy governs cryptography, encryption, digital signatures, key exchange, certificates, code signing, encrypted backups, long-retention confidential data, healthcare data, payment and financial data, government-related data, software supply chain security, and post-quantum cryptography planning.

2. Required inventory

Maintain a cryptographic asset inventory that identifies algorithms, protocols, libraries, certificates, keys, hardware/security modules, data protected, retention period, vendor owner, rotation cycle, quantum vulnerability, migration priority, and compensating controls. Prioritize data with a long confidentiality lifetime because “harvest now, decrypt later” risks can affect records that must remain confidential for years.

3. NIST post-quantum standards

Use NIST-approved and production-appropriate standards when available. NIST’s current principal post-quantum standards include FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) for hash-based digital signatures. The organization must not market systems as “quantum-impervious,” “invulnerable,” or “future-proof.” Use “post-quantum migration planning” or “quantum-resistant controls where implemented and verified.”

4. Migration controls

5. Regulated and long-life data

Healthcare, hospital, biometric, genetic, financial, government, defense, children/student, trade secret, and legal data may require higher migration priority. Tie quantum migration to retention schedules and data minimization: deleting data that no longer has a valid retention need reduces quantum-era risk.

6. Audit evidence

Keep crypto inventories, library versions, certificate scans, threat models, migration decisions, exception approvals, vendor attestations, test results, and board/security committee updates. Review at least annually and after relevant NIST, FIPS, browser, operating system, cloud, or vendor updates.