Terms of Service

Master Cloud Agreement

Pass-Through Terms

Privacy Policy

Cookies Policy

Data Processing Addendum

Current Subprocessors List

Security Policy

Support Policy

Service Level Agreement

AI Supplementary Terms

Fair Usage Policy

Responsible Disclosure Policy

Current Subprocessors List

At a glance

To deliver the NEXT service, NEXT uses a small set of vetted subprocessors under Data Processing Agreements (DPAs). Contracts flow down GDPR Article 28 obligations. NEXT provides at least 30 days' prior notice of any new or replacement subprocessor via this page and email, with a 15-day window for controllers to object on data protection grounds, as set out in the DPA. Where international transfers occur, EU Standard Contractual Clauses (SCCs) or other lawful mechanisms are used. Subprocessors marked as "Optional Feature" are engaged only when the customer enables the corresponding feature in their workspace settings.


Approved subprocessors


Subprocessor


Region / Location


Purpose


Data processed (as applicable)


Amazon Web Services (AWS)


Ireland, EU


Cloud infrastructure (storage, backups, CDN, DNS, SSL, domain mgmt., email)


Anonymized content, email address, IP address


AssemblyAI


EU or US (explicit choice)


Speech-to-text


User-added content (when using transcription)


Gladia


EU


Speech-to-text


User-added content (when using transcription)


Intercom


US


Customer engagement & messaging


Name, email, IP, analytics


OpenAI


US


AI processing (e.g., transcription/LLM functions where configured)


User-added content


Microsoft Azure AI


EU or US (explicit choice)


AI processing (e.g., transcription/LLM functions where configured)


User-added content


How NEXT manages subprocessors

  • Risk-based due diligence & inventory (service description, data types, access, controls, assurance).

  • Contracts & DPAs: Article 28(4) obligations flow down to subprocessors; change notifications & objection handled per DPA (Article 28(2)).

  • International transfers: Where required, NEXT AI implements EU SCCs (2021) to legitimize transfers controller→processor and processor→subprocessor.

  • Minimization: NEXT AI aims to use as few subprocessors as possible to deliver the service.


Related topics

FAQ

Q: How can controllers get notified of new or changed subprocessors?

NEXT provides notice of intended changes to the subprocessor list and allows objections as required under GDPR Art. 28(2) via the DPA. Contact security@nextapp.co if you need to confirm your notification channel.

Q: Do you support EU-only processing for AI/transcription?

Yes—per the list above, AssemblyAI and Microsoft Azure AI can be used in the EU, and Gladia is EU-hosted. Configure your workspace to use EU options where required. Refer to vendor rows and your contract/SOW for specifics.

Q: What due-diligence does NEXT perform on subprocessors?

NEXT follows a vendor-management program (inventory, risk tiering, control reviews, contractual clauses, and audit/assurance as needed).

Q: Can customers object to a new subprocessor?

Yes — controllers may object in writing within 15 days of receiving a Subprocessor Change Notice, on reasonable data protection grounds. If no objection is raised within this period, the change is deemed accepted. If an objection cannot be resolved, the customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees. See DPA Section 6 for full details.


Subprocessors details (expanded)

Amazon Web Services

  • aws.amazon.com

  • Location: Ireland, European Union

  • Security certifications: SOC 2 Type II and more

  • Data processed: Anonymized content, email address, IP address.

  • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.

  • DPA signed: Yes – incorporated into terms

AssemblyAI

  • assemblyai.com

  • Location: European Union or United States (explicit choice)

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content (when using transcription).

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Gladia

  • gladia.io

  • Location: European Union

  • Security certifications: GDPR Compliant and SOC 2 Type II in progress

  • Data processed: User-added content (when using transcription).

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Intercom

  • intercom.com

  • Location: San Francisco, United States.

  • Security certifications: ISO 27001, SOC 2 Type II, HIPAA, CSA.

  • Data processed: User name, email address, IP address, analytics

  • Use: Marketing and transactional emails

  • DPA signed: Yes – incorporated into terms

OpenAI

  • openai.com

  • Location: United States

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms

Microsoft Azure AI

  • azure.microsoft.com/en-us/solutions/ai

  • Location: European Union or United States (explicit choice)

  • Security certifications: SOC 2 Type II

  • Data processed: User-added content

  • Use: Audio and video transcription

  • DPA signed: Yes – incorporated into terms