Effective 2026-04-29 · Reviewed annually
Operational Policies
The policies below govern how Nightbox LLC operates. Each is reviewed annually or on material change.
1. Records Retention Policy
Nightbox retains records in accordance with US federal and California state requirements and industry best practice for biotech R&D.
| Record class | Minimum retention |
|---|---|
| Tax records (federal and state returns) | 7 years |
| Banking and financial records | 7 years |
| Contracts and signed agreements | Term + 7 years (15 years for licenses) |
| R&D laboratory notebooks and primary data | Indefinitely (life of related IP + 5 years minimum) |
| FDA-regulated electronic records (Part 11) | 2 years post-marketing approval or 6 years post-discontinuation, whichever later |
| Clinical trial records (when applicable) | 25 years per ICH GCP / FDA 21 CFR §312.62(c) |
| Email correspondence (business) | Indefinitely on Google Workspace |
| Server access logs | 30 days hot, 1 year cold |
| Chat agent transcripts | 90 days unless required for active engagement |
2. Acceptable Use Policy
Use of Nightbox systems (email, chat agent, repos, internal tools) is limited to Nightbox business purposes. Prohibited:
- Unauthorized access to or disclosure of Confidential Information
- Copyright or trademark infringement
- Knowingly introducing malware or vulnerable third-party code
- Use of Nightbox systems for personal commercial purposes
- Transmission of Protected Health Information (PHI) without an executed BAA
- Bypassing brand-cloak or output-sanitization layers in production
Violations may result in immediate access revocation and, where applicable, civil or criminal referral.
3. Code of Conduct
- Honesty in claims. Computational results are labeled in silico. Forward-looking statements are labeled forward-looking. Clinical claims await clinical evidence.
- Honesty in attribution. Cited sources are real. Co-authors are credited. Researchers whose work enabled ours are acknowledged on /humans.txt.
- No misrepresentation of relationships. Federal agencies and commercial counterparties are not described as partners, investors, or endorsers unless the relationship is documented and current.
- Patient orientation. When clinical engagement begins, the patient interest comes first.
- Reportable behavior. Any pressure to deviate from this Code should be reported to legal@nightboxllc.com. We do not retaliate against good-faith reporters.
4. Conflict of Interest Policy
Each member of the team (founder, employees, contractors, advisors) shall:
- Disclose any outside financial interest, board service, or advisory role that creates an actual or potential conflict with Nightbox interests
- Recuse from decisions where a personal financial interest exists
- Update disclosures annually and within 30 days of any material change
For federally-funded work, additional disclosures per 42 CFR §50.604 (NIH) and 2 CFR §200.318 (federal procurement standards) apply.
5. Data Classification
| Class | Examples | Handling |
|---|---|---|
| Public | Site content, preprint, published research | Anywhere |
| Internal | Outreach lists, draft documents | Founder access only |
| Confidential | Provisional patent draft, financials, cap table | NDA-gated |
| Restricted | CUI per a federal agreement (when applicable) | NIST SP 800-171 controls; encrypted at rest and in transit |
6. Vulnerability Disclosure Program (VDP)
Per CISA BOD 20-01 best practice. See /security and /.well-known/security.txt. Acknowledgment within 72 hours; remediation timeline within 7 days; public credit on request.
7. Sanctions and OFAC Compliance
Nightbox does not transact with parties on the US Treasury Office of Foreign Assets Control (OFAC) Specially Designated Nationals list or in comprehensively sanctioned jurisdictions. Counterparty screening occurs prior to any contract execution.
8. Reporting and amendment
Concerns or proposed amendments to these policies may be sent to legal@nightboxllc.com. Material changes are version-stamped and published on this page.
Policy ownership: Founder & CEO. Next review: 2027-04-29.