Skip to main content

Vendor management

Moodi Mahmoudi avatar
Written by Moodi Mahmoudi
Updated over 3 weeks ago

At a glance

NEXT AI applies a risk-based vendor management program: we perform due diligence before onboarding, maintain a vendor inventory with risk tiering, require security/privacy clauses in contracts (incl. incident handling, data-return/destruction, and geographic limits), and conduct ongoing monitoring for critical suppliers. See Data subprocessors for vendors used to deliver the NEXT service.

Due diligence (onboarding)

Before granting access or exchanging data, NEXT AI evaluates a vendor’s security posture, business practices, and legal commitments. Reviews include supply-chain risk topics such as modern slavery; assurance artifacts may include SOC 2 reports, security questionnaires, or equivalent evidence appropriate to the service.

Vendor inventory

NEXT AI maintains an inventory capturing risk level, data types shared, service description, POC, access method, key controls, and security report/questionnaire status.

Risk tiering

  • High – vendor stores/has access to sensitive data or failure would be critical.

  • Moderate – no sensitive data access; failure is not critical.

  • Low – no data access; minimal impact if failed.

Contracts & clauses

Contracts for vendors processing confidential data or providing critical services include:

  • Vendor responsibility for safeguarding data in its possession;

  • Independent validation of controls (e.g., SOC 2 or equivalent) on a recurring basis;

  • Incident response responsibilities, including timelines aligned to SLAs;

  • Return or destruction of data at termination;

  • Responsibilities for secured interconnections (e.g., firewalls/routers);

  • Geographic limits on data storage/transfer when required.

Ongoing monitoring

NEXT may audit a vendor or request updated assurance to confirm compliance with contractual, regulatory, and policy requirements; results inform continued risk tiering and remediation tracking.

Data subprocessors

To minimize risk, NEXT uses as few subprocessors as possible to provide the service. The current list is published on Data subprocessors.

Standards alignment

NEXT’s approach follows recognized guidance for Cybersecurity Supply Chain Risk Management (C-SCRM) (NIST SP 800-161r1) and leverages SOC 2 Trust Services Criteria for third-party assurance.

FAQ

Q: What evidence does NEXT AI request during vendor due diligence?

Depending on service/risk: SOC 2 reports (or equivalent), completed security questionnaires, and documentation of key controls; contractual commitments are reviewed prior to onboarding.

Q: How does NEXT AI classify vendor risk?

Each vendor is assigned High/Moderate/Low based on data sensitivity and business impact; this drives contract requirements and monitoring depth.

Q: What contract clauses are required for high-risk vendors?

Security/privacy obligations, independent control validation, incident notification timelines, data return/destruction, secured connections, and (where applicable) data-location limits.

Q: Does NEXT AI maintain a vendor inventory? What’s in it?

Yes—risk level, data types shared, service description, POC, access method, key controls, and latest security report/questionnaire.

Q: How often are vendors re-assessed?

Periodically and risk-based—critical vendors may be reviewed more frequently; ad-hoc reviews occur upon material changes or incidents, consistent with C-SCRM practice.

Q: Where can I see NEXT AI’s current subprocessors?

They’re listed on Data subprocessors in the Help Center.

Related Articles
SOC 2 Type II
Risk Management
Confidentiality agreements
Data subprocessors
Safe AI commitments
Did this answer your question?