At a glance
NEXT AI defines a data breach as the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to customer data. If a breach is confirmed, NEXT notifies affected customers (controllers) without undue delay, initiates email/phone outreach to registered contacts, and provides periodic updates on progress and impact. NEXT AI has not had an identified data breach since commencing operations.
Under GDPR, controllers must notify the supervisory authority without undue delay and, at the latest, within 72 hours of becoming aware of a personal-data breach (unless unlikely to risk individuals). Processors must notify controllers promptly so controllers can meet those duties.
What NEXT AI sends in a breach notice
NEXT AI's Incident Response process captures the details controllers need to assess notification duties. Notices typically include: summary of the incident, dates/times, systems and data types potentially affected, initial severity rating, known indicators/evidence being preserved, containment and remediation steps, and recommended controller actions (e.g., customer communications, credential resets).
Communications & updates
NEXT’s on-call team coordinates a communications plan for Medium/High-severity incidents, with multiple periodic updates per day where needed and a post-incident review to share root cause and improvements. Evidence (e.g., logs, images, files) is preserved to support investigations and, if appropriate, law-enforcement engagement.
For the full lifecycle, roles, and timelines for handling incidents, see Incident Response.
Related topics
FAQ
Q: What counts as a “data breach” here?
Any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to customer data.
Q: Who will NEXT notify and how fast?
NEXT notifies impacted customers (controllers) without undue delay after becoming aware of a breach, so controllers can meet legal timelines (e.g., 72 hours to the authority under GDPR).
Q: Will NEXT notify data subjects directly?
Under GDPR, controllers determine if and when to notify data subjects (e.g., where there is a high risk). NEXT supports controllers with facts and remediation details to inform that decision.
Q: What information will NEXT include in its notice?
Incident summary, timing, affected systems/data categories, preliminary severity, steps taken/underway, recommended actions, and follow-up schedule; evidence is preserved for investigation. NEXT AI keeps up with the latest best practices and laws to always meet the industry's expecttions.
Q: How does NEXT communicate during an incident?
Through the registered security/support contacts (email and, when available, phone) with periodic updates until containment and recovery are complete, followed by a post-incident review.
Q: What if the breach involves cross-border data?
NEXT informs controllers promptly; controllers determine the relevant authority and international-transfer considerations. The EDPB’s breach-notification guidance provides practical examples for risk assessment and reporting.