At a glance
To deliver the NEXT AI service, NEXT AI uses a small set of vetted subprocessors under Data Processing Agreements (DPAs). Contracts flow down GDPR Article 28 obligations, and controllers are informed of changes to the subprocessor list under the DPA, with an opportunity to object as required. Where international transfers occur, EU Standard Contractual Clauses (SCCs) or other lawful mechanisms are used.
Approved subprocessors
Subprocessor | Region / Location | Purpose | Data processed (as applicable) |
Amazon Web Services (AWS) | Ireland, EU | Cloud infrastructure (storage, backups, CDN, DNS, SSL, domain mgmt., email) | Anonymized content, email address, IP address |
AssemblyAI | EU or US (explicit choice) | Speech-to-text | User-added content (when using transcription) |
Gladia | EU | Speech-to-text | User-added content (when using transcription) |
Intercom | US | Customer engagement & messaging | Name, email, IP, analytics |
OpenAI | US | AI processing (e.g., transcription/LLM functions where configured) | User-added content |
Microsoft Azure AI | EU or US (explicit choice) | AI processing (e.g., transcription/LLM functions where configured) | User-added content |
How NEXT manages subprocessors
Risk-based due diligence & inventory (service description, data types, access, controls, assurance).
Contracts & DPAs: Article 28(4) obligations flow down to subprocessors; change notifications & objection handled per DPA (Article 28(2)).
International transfers: Where required, NEXT AI implements EU SCCs (2021) to legitimize transfers controller→processor and processor→subprocessor.
Minimization: NEXT AI aims to use as few subprocessors as possible to deliver the service.
Related topics
FAQ
Q: How can controllers get notified of new or changed subprocessors?
NEXT provides notice of intended changes to the subprocessor list and allows objections as required under GDPR Art. 28(2) via the DPA. Contact security@nextapp.co if you need to confirm your notification channel.
Q: Do you support EU-only processing for AI/transcription?
Yes—per the list above, AssemblyAI and Microsoft Azure AI can be used in the EU, and Gladia is EU-hosted. Configure your workspace to use EU options where required. Refer to vendor rows and your contract/SOW for specifics.
Q: What due-diligence does NEXT perform on subprocessors?
NEXT follows a vendor-management program (inventory, risk tiering, control reviews, contractual clauses, and audit/assurance as needed).
Q: Can customers object to a new subprocessor?
Yes—controllers may object within the DPA-specified window after notice, consistent with GDPR Art. 28(2).
Subprocessors details (expanded)
Amazon Web Services
Location: Ireland, European Union
Security certifications: SOC 2 Type II and more
Data processed: Anonymized content, email address, IP address.
Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.
DPA signed: Yes – incorporated into terms
AssemblyAI
Location: European Union or United States (explicit choice)
Security certifications: SOC 2 Type II
Data processed: User-added content (when using transcription).
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
Gladia
Location: European Union
Security certifications: GDPR Compliant and SOC 2 Type II in progress
Data processed: User-added content (when using transcription).
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
Intercom
Location: San Francisco, United States.
Security certifications: ISO 27001, SOC 2 Type II, HIPAA, CSA.
Data processed: User name, email address, IP address, analytics
Use: Marketing and transactional emails
DPA signed: Yes – incorporated into terms
OpenAI
Location: United States
Security certifications: SOC 2 Type II
Data processed: User-added content
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
Microsoft Azure AI
Location: European Union or United States (explicit choice)
Security certifications: SOC 2 Type II
Data processed: User-added content
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms