At a glance
NEXT requires confidentiality agreements for employees, contractors, and vendors/subprocessors. Signatories agree to not disclose or misuse confidential information, to secure it during engagement, and—on termination—to return all confidential material and permanently erase any stored copies. Obligations continue after the working relationship ends.
Employees/contractor confidentiality
What the NDA covers (key clauses)
NEXT NDAs define what is confidential, duration of obligations, permitted use, ownership of information/IP, security & access safeguards, audit/monitoring, breach notification, and return or destruction at end of engagement. Clauses are periodically reviewed.
Who signs & when
Employees & contractors sign before gaining access to systems or data.
Role-appropriate language is used when third parties may access confidential information under contract.
Scope of “confidential information”, including examples
Product and roadmap details, source code, architectures, credentials/keys, customer data and metadata, pricing and commercial terms, security documentation, and non-public metrics. Exact scope is defined in the NDA.
Termination & offboarding
Upon termination, signatories must return all confidential information and permanently erase stored copies from any device or service. Continuing obligations survive termination.
Standards & regulatory alignment
GDPR (processors): persons authorized to process personal data must be bound to confidentiality (Art. 28(3)(b)).
ISO/IEC 27002:2022 Control 6.6: requires organizations to establish and periodically review confidentiality/NDAs with personnel and interested parties.
Third-party confidentiality (vendors & subprocessors)
Vendors and subprocessors that may access NEXT AI confidential information or customer data are contractually bound to confidentiality before any access is granted. This includes NDAs for external parties and security/privacy clauses in vendor contracts (e.g., incident notification, data return/destruction, and data-location limits). Access is blocked until a contract containing security controls is signed.
What vendor/subprocessor contracts require
Confidential data protection responsibilities and independent validation of controls (e.g., assurance reports).
Incident response responsibilities, including timelines aligned to SLAs.
Return or destruction of data at termination and secured interconnections.
Geographic limits on storage/transfer when required by the customer or law.
FAQ
Q: Do contractors and temporary staff sign confidentiality agreements?
Yes—contractors and temps sign before access is granted, with obligations tailored to role and data sensitivity.
Q: How long do confidentiality obligations last?
They apply during the engagement and continue after termination for the duration defined in the NDA (e.g., until information is public or a fixed period elapses).
Q: What happens at termination?
Access is removed, and the individual must return all confidential materials and permanently erase stored copies; compliance may be attested during offboarding.
Q: Does GDPR require confidentiality commitments?
Yes—where personal data is processed, GDPR Article 28(3)(b) requires that persons authorized to process it are bound by confidentiality. NEXT AI fully complies with this requirement.
Q: Are mutual NDAs available for customers, prospects, or research participants?
Where needed, NEXT can execute a mutual NDA to support evaluations, security reviews, or collaborative research, consistent with the same confidentiality principles.
Q: What types of information are typically covered?
Non-public technical, commercial, operational, and customer-related information, including personal data where applicable—handled under contract and law.
Q: Do vendors and subprocessors sign confidentiality agreements?
Yes. Vendors and subprocessors are bound by NDAs or confidentiality clauses in their contracts, and cannot access NEXT AI systems or data until the security/contractual controls are executed. Contracts include incident handling, data return/destruction, and (where applicable) data-location limits.