← Back to NEXQ Legal Center

Contract effective date: September 18, 2024. Audit release: July 9, 2026. Runtime consent and session timestamps are recorded when users actually interact with NEXQ systems.

Vendor Risk Management Policy

Template and counsel-review notice. This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.

Effective date: September 18, 2024
Last updated: September 18, 2024
Organization: NEXQ Inc.
Services covered: NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services
Privacy contact: hello@nexq.us
Security contact: hello@nexq.us
Mailing address: Irvine, CA, United States — contact hello@nexq.us for legal notices

1. Scope

This policy governs service providers, processors, subprocessors, contractors, business associates, analytics vendors, AI vendors, cloud providers, payment processors, support vendors, consultants, and any party that handles company, customer, user, patient, student, financial, or confidential data.

2. Risk tiers

Classify vendors by data sensitivity, system criticality, access level, geography, AI use, regulated data, incident impact, and substitutability. High-risk vendors require security questionnaires, contract review, privacy review, evidence review, and executive approval where appropriate.

3. Contract requirements

Contracts should address confidentiality, permitted processing, security safeguards, subprocessor approval, audit cooperation, breach/incident notice, deletion/return, data-location restrictions, AI/model-training restrictions, HIPAA BAA where applicable, FERPA restrictions where applicable, GLBA safeguards where applicable, and state privacy service-provider/processor terms.

4. Ongoing monitoring

Review high-risk vendors at least annually and after incidents, material scope changes, mergers, new subprocessors, product changes, or new regulated workflows. Maintain evidence in the vendor-risk register.

5. Offboarding

Disable access, retrieve or destroy data, obtain deletion certificates where appropriate, revoke keys/tokens, remove integrations, update subprocessors lists, and verify contract termination obligations.