Skip to main content

Data subprocessors

Moodi Mahmoudi avatar
Written by Moodi Mahmoudi
Updated this week

At a glance

To deliver the NEXT AI service, NEXT AI uses a small set of vetted subprocessors under Data Processing Agreements (DPAs). Contracts flow down GDPR Article 28 obligations, and controllers are informed of changes to the subprocessor list under the DPA, with an opportunity to object as required. Where international transfers occur, EU Standard Contractual Clauses (SCCs) or other lawful mechanisms are used.

Approved subprocessors

Subprocessor

Region / Location

Purpose

Data processed (as applicable)

Amazon Web Services (AWS)

Ireland, EU

Cloud infrastructure (storage, backups, CDN, DNS, SSL, domain mgmt., email)

Anonymized content, email address, IP address

AssemblyAI

EU or US (explicit choice)

Speech-to-text

User-added content (when using transcription)

Gladia

EU

Speech-to-text

User-added content (when using transcription)

Intercom

US

Customer engagement & messaging

Name, email, IP, analytics

OpenAI

US

AI processing (e.g., transcription/LLM functions where configured)

User-added content

Microsoft Azure AI

EU or US (explicit choice)

AI processing (e.g., transcription/LLM functions where configured)

User-added content

How NEXT manages subprocessors

  • Risk-based due diligence & inventory (service description, data types, access, controls, assurance).

  • Contracts & DPAs: Article 28(4) obligations flow down to subprocessors; change notifications & objection handled per DPA (Article 28(2)).

  • International transfers: Where required, NEXT AI implements EU SCCs (2021) to legitimize transfers controller→processor and processor→subprocessor.

  • Minimization: NEXT AI aims to use as few subprocessors as possible to deliver the service.

Related topics

FAQ

Q: How can controllers get notified of new or changed subprocessors?

NEXT provides notice of intended changes to the subprocessor list and allows objections as required under GDPR Art. 28(2) via the DPA. Contact security@nextapp.co if you need to confirm your notification channel.

Q: Do you support EU-only processing for AI/transcription?

Yes—per the list above, AssemblyAI and Microsoft Azure AI can be used in the EU, and Gladia is EU-hosted. Configure your workspace to use EU options where required. Refer to vendor rows and your contract/SOW for specifics.

Q: What due-diligence does NEXT perform on subprocessors?

NEXT follows a vendor-management program (inventory, risk tiering, control reviews, contractual clauses, and audit/assurance as needed).

Q: Can customers object to a new subprocessor?

Yes—controllers may object within the DPA-specified window after notice, consistent with GDPR Art. 28(2).

Subprocessors details (expanded)

Amazon Web Services

  • Location: Ireland, European Union

  • Security certifications: SOC 2 Type II and more

  • Data processed: Anonymized content, email address, IP address.

  • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.

  • DPA signed: Yes – incorporated into terms

AssemblyAI

  • Location: European Union or United States (explicit choice)

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content (when using transcription).

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Gladia

  • Location: European Union

  • Security certifications: GDPR Compliant and SOC 2 Type II in progress

  • Data processed: User-added content (when using transcription).

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Intercom

  • Location: San Francisco, United States.

  • Security certifications: ISO 27001, SOC 2 Type II, HIPAA, CSA.

  • Data processed: User name, email address, IP address, analytics

  • Use: Marketing and transactional emails

  • DPA signed: Yes – incorporated into terms

OpenAI

  • Location: United States

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Microsoft Azure AI

  • Location: European Union or United States (explicit choice)

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Did this answer your question?