At a glance
NEXT AI processes personal data in line with the EU General Data Protection Regulation (GDPR). Data is hosted in the EU, protected by strong security controls, and governed by a GDPR-compliant Data Processing Agreement (DPA). When data leaves the EEA, Standard Contractual Clauses (SCCs) are used to safeguard transfers.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU’s data protection and privacy law that sets rules for collecting, using, and storing personal data and grants individuals actionable rights over their information. It has applied since May 25, 2018. For an official overview and legal text, see the European Commission guide and the EUR-Lex regulation.
How NEXT AI aligns with GDPR
NEXT AI operates as a data processor, enabling customers (the data controllers) to meet their obligations. Alignment includes:
Lawfulness, fairness, transparency – processing tied to legitimate purposes disclosed to users.
Purpose limitation & data minimization – collect/process only what is necessary for defined use cases.
Accuracy & storage limitation – mechanisms to correct and retain data only as long as needed.
Integrity & confidentiality – technical/organizational measures to secure data (see Security pages).
DPA and international transfers
Data Processing Agreement (DPA): Contractual terms covering roles, security measures, and assistance with data-subject requests.
International transfers: When applicable, NEXT AI relies on the European Commission’s Standard Contractual Clauses (SCCs) for transfers to third countries. See the Commission’s SCC page and the 2021 Implementing Decision for details.
Data location
For EU clients, customer data is hosted in secure EU data centers. If a transfer outside the EEA is necessary for support or processing, SCCs apply as described above (see NEXT AI's data residency options).
Data-subject rights
GDPR grants individuals rights to access, rectify, erase, restrict/object, and port their personal data. Controllers must facilitate these, and processors must assist controllers in fulfilling requests. For practical guidance, see the European Data Protection Board (EDPB) resources on data-subject rights.
FAQ
Q: Is NEXT AI GDPR compliant?
Yes. NEXT AI processes personal data under GDPR principles and offers a GDPR-compliant DPA to customers.
Q: Where is customer data stored?
In EU-based data centers. If data must move outside the EEA for processing or support, NEXT AI uses the European Commission’s SCCs to safeguard transfers.
Q: Who is the controller and who is the processor?
Enterprise customers are typically the data controllers. NEXT AI acts as the data processor and assists controllers in meeting GDPR requirements.
Q: Can individuals request deletion (“right to be forgotten”)?
Yes. Controllers can submit erasure requests to NEXT AI; NEXT AI assists with deletion unless retention is required by law. See EDPB guidance on exercising rights.
Q: How are international data transfers handled?
NEXT AI uses the European Commission’s Standard Contractual Clauses (SCCs); see the SCC explainer and the 2021 Implementing Decision.
Q: What security controls back GDPR compliance?
Security and privacy controls align with recognized frameworks (e.g., encryption, access control, monitoring). For a comprehensive control catalog reference, see NIST SP 800-53 Rev. 5 (informational, not an EU law).
Q: Where can I read the official GDPR text?
The full legal text is available on EUR-Lex (Regulation (EU) 2016/679). The European Commission also maintains an accessible GDPR overview.
Contact Us
If you have any questions, please email us at legal@nextapp.co.