← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Trust and Security Policy

Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices

1. Purpose

This Trust and Security Policy describes our baseline security, privacy, governance, and assurance program. It should be published only after confirming that every stated control is implemented or clearly labeled as planned.

2. Security framework

We align governance to recognized frameworks such as NIST Cybersecurity Framework 2.0 and NIST Privacy Framework. The program includes governance, risk management, asset inventory, identity and access management, data security, vulnerability management, secure development, third-party risk, incident response, recovery, privacy engineering, and executive oversight.

3. Administrative safeguards

4. Technical safeguards

5. Product and SDLC controls

Security and privacy review should occur at design, implementation, pre-launch, and post-launch. New features must complete data-flow mapping, threat modeling, privacy impact review, consent/notice review, vendor/SDK review, AI review where applicable, and accessibility review.

6. Third-party assurance

Vendors must be risk-ranked, reviewed before onboarding, contractually bound to security/privacy obligations, monitored during use, and offboarded safely. High-risk vendors require evidence such as security reports, policies, certifications, penetration-test summaries, or customer-audit materials.

7. Public claims

Do not publish claims such as “bank-grade security,” “military-grade encryption,” “HIPAA compliant,” “SOC 2 certified,” “ISO certified,” “FDA compliant,” “quantum-impervious,” or “irreversibly deidentified analytics” unless evidence supports the exact claim and legal approves the wording.

8. Vulnerability disclosure

Maintain a safe channel for vulnerability reporting. Do not threaten good-faith researchers who comply with the policy. Triage, remediate, and communicate according to risk, exploitability, legal obligations, and customer commitments.