At a glance
Access to NEXT AI infrastructure and systems is granted on a minimum-necessary (least-privilege) basis. Employee identities are unique and protected with multi-factor authentication (MFA). For support, customer permission and manager approval are required, and access is temporary and need-to-use only. Enterprise Workspaces are physically separated across different AWS accounts, and NEXT AI personnel do not have physical access to AWS data centers.
Access control principles & procedures
Least privilege / need-to-use — Access is provisioned strictly for the duties required. (Aligned with recognized access-control guidance.)
Unique identity + MFA — Every employee uses unique credentials; MFA is enforced for infrastructure access.
Time-bound access — Elevated access is temporary and granted only for the duration of a justified task.
Support access procedure
Customer consent first — If troubleshooting requires visibility into customer data, NEXT AI seeks written permission (email or ticket).
Manager approval — Any access must be approved by a manager and granted temporarily.
Operational oversight — Access is controlled per policy and supported by platform/infrastructure logging (see Logging & Monitoring).
Physical data separation for Enterprise clients
Enterprise Workspaces can opt to have their data physically separated across different AWS accounts, limiting blast radius and clarifying boundaries (see Physical data separation and Logical data separation).
Enterprise option: For dedicated, per-tenant isolation, Enterprise Workspaces run in their own AWS accounts, see Physical separation.
Physical controls (AWS)
NEXT AI runs on Amazon Web Services. AWS data centers use layered security (e.g., professional security staff, surveillance/detection systems, MFA-protected ingress to data halls, alarmed doors).
custom-designed electronic access cards
motion alarms and sensors
video surveillance
perimeter fencing
metal detectors
biometrics
NEXT employees have no physical data center access.
Framework alignment
Access-control design and least-privilege practices align with NIST SP 800-53 Rev. 5 concepts (AC family; least privilege).
Controls align with ISO/IEC 27001 ISMS practices for access control and risk-based governance.
Related topics
User roles (application-level authorization),
FAQ
Q: Does NEXT AI enforce least-privilege access?
Yes. Access is provisioned on a minimum-necessary / need-to-use basis and is time-bound when elevated.
Q: Can support staff view our data to troubleshoot an issue?
Only with customer written permission, and only after manager approval. Any access is temporary and limited to the scope of the case.
Q: Do NEXT AI employees use MFA to access infrastructure?
Yes. MFA is enforced for employee access to infrastructure systems.
Q: Is it possible to have a Workspaces that is physically isolated from other Workspaces?
Yes. Enterprise Workspaces can opt to be physically separated across different AWS accounts to reduce blast radius and improve boundary controls. Other Workspaces are logically separated (multitenancy).
Q: Do NEXT AI employees have physical access to the data centers?
No. Physical security is handled by AWS; NEXT personnel do not have physical access to AWS data centers.
Q: Which standards does NEXT AI’s approach align with?
Access control and least-privilege principles align with NIST SP 800-53 Rev. 5 and ISO/IEC 27001 ISMS practices.