Data subprocessors
To deliver the NEXT AI service, NEXT AI uses a small set of vetted subprocessors under Data Processing Agreements (DPAs). Contracts flow down GDPR Article 28 obligations, and controllers are informed of changes to the subprocessor list under the DPA, with an opportunity to object as required. Where international transfers occur, EU Standard Contractual Clauses (SCCs) or other lawful mechanisms are used.
Approved subprocessors
Subprocessor
Region / Location
Purpose
Data processed (as applicable)
Amazon Web Services (AWS)
Ireland, EU
Cloud infrastructure (storage, backups, CDN, DNS, SSL, domain mgmt., email)
Anonymized content, email address, IP address
AssemblyAI
EU or US (explicit choice)
Speech-to-text
User-added content (when using transcription)
Gladia
EU
Speech-to-text
User-added content (when using transcription)
Intercom
US
Customer engagement & messaging
Name, email, IP, analytics
OpenAI
US
AI processing (e.g., transcription/LLM functions where configured)
User-added content
Microsoft Azure AI
EU or US (explicit choice)
AI processing (e.g., transcription/LLM functions where configured)
User-added content
How NEXT manages subprocessors
- Risk-based due diligence & inventory (service description, data types, access, controls, assurance).
- Contracts & DPAs: Article 28(4) obligations flow down to subprocessors; change notifications & objection handled per DPA (Article 28(2)).
- International transfers: Where required, NEXT AI implements EU SCCs (2021) to legitimize transfers controller→processor and processor→subprocessor.
- Minimization: NEXT AI aims to use as few subprocessors as possible to deliver the service.
Related topics
FAQ
Q: How can controllers get notified of new or changed subprocessors?
NEXT provides notice of intended changes to the subprocessor list and allows objections as required under GDPR Art. 28(2) via the DPA. Contact security@nextapp.co if you need to confirm your notification channel.
Q: Do you support EU-only processing for AI/transcription?
Yes—per the list above, AssemblyAI and Microsoft Azure AI can be used in the EU, and Gladia is EU-hosted. Configure your workspace to use EU options where required. Refer to vendor rows and your contract/SOW for specifics.
Q: What due-diligence does NEXT perform on subprocessors?
NEXT follows a vendor-management program (inventory, risk tiering, control reviews, contractual clauses, and audit/assurance as needed).
Q: Can customers object to a new subprocessor?
Yes—controllers may object within the DPA-specified window after notice, consistent with GDPR Art. 28(2).
Subprocessors details (expanded)
Amazon Web Services
- Location: Ireland, European Union
- Security certifications: SOC 2 Type II and more
- Data processed: Anonymized content, email address, IP address.
- Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.
- DPA signed: Yes – incorporated into terms
AssemblyAI
- Location: European Union or United States (explicit choice)
- Security certifications: SOC 2 Type II
- Data processed: User-added content (when using transcription).
- Use: Audio and video transcription
- DPA signed: Yes – incorporated into terms
Gladia
- Location: European Union
- Security certifications: GDPR Compliant and SOC 2 Type II in progress
- Data processed: User-added content (when using transcription).
- Use: Audio and video transcription
- DPA signed: Yes – incorporated into terms
Intercom
- Location: San Francisco, United States.
- Security certifications: ISO 27001, SOC 2 Type II, HIPAA, CSA.
- Data processed: User name, email address, IP address, analytics
- Use: Marketing and transactional emails
- DPA signed: Yes – incorporated into terms
OpenAI
- Location: United States
- Security certifications: SOC 2 Type II
- Data processed: User-added content
- Use: Audio and video transcription
- DPA signed: Yes – incorporated into terms
Microsoft Azure AI
azure.microsoft.com/en-us/solutions/ai
- Location: European Union or United States (explicit choice)
- Security certifications: SOC 2 Type II
- Data processed: User-added content
- Use: Audio and video transcription
- DPA signed: Yes – incorporated into terms