Current Subprocessors List
At a glance
To deliver the NEXT service, NEXT uses a small set of vetted subprocessors under Data Processing Agreements (DPAs). Contracts flow down GDPR Article 28 obligations. NEXT provides at least 30 days' prior notice of any new or replacement subprocessor via this page and email, with a 15-day window for controllers to object on data protection grounds, as set out in the DPA. Where international transfers occur, EU Standard Contractual Clauses (SCCs) or other lawful mechanisms are used. Subprocessors marked as "Optional Feature" are engaged only when the customer enables the corresponding feature in their workspace settings.
Approved subprocessors
Subprocessor | Region / Location | Purpose | Data processed (as applicable) |
Amazon Web Services (AWS) | Ireland, EU | Cloud infrastructure (storage, backups, CDN, DNS, SSL, domain mgmt., email) | Anonymized content, email address, IP address |
AssemblyAI | EU or US (explicit choice) | Speech-to-text | User-added content |
Gladia | EU | Speech-to-text | User-added content |
OpenAI | US | AI processing (e.g., transcription/LLM functions where configured) | User-added content |
Microsoft Azure AI | EU | AI processing (e.g., transcription/LLM functions where configured) | User-added content |
LlamaIndex | EU | PDF-to-text | User added content |
PostHog | EU | Product analytics | Name, email, IP, analytics |
How NEXT manages subprocessors
Risk-based due diligence & inventory (service description, data types, access, controls, assurance).
Contracts & DPAs: Article 28(4) obligations flow down to subprocessors; change notifications & objection handled per DPA (Article 28(2)).
International transfers: Where required, NEXT AI implements EU SCCs (2021) to legitimize transfers controller→processor and processor→subprocessor.
Minimization: NEXT AI aims to use as few subprocessors as possible to deliver the service.
Related topics
FAQ
Q: How can controllers get notified of new or changed subprocessors?
NEXT provides notice of intended changes to the subprocessor list and allows objections as required under GDPR Art. 28(2) via the DPA. Contact security@nextapp.co if you need to confirm your notification channel.
Q: Do you support EU-only processing for AI/transcription?
Yes—per the list above, AssemblyAI and Microsoft Azure AI can be used in the EU, and Gladia is EU-hosted. Configure your workspace to use EU options where required. Refer to vendor rows and your contract/SOW for specifics.
Q: What due-diligence does NEXT perform on subprocessors?
NEXT follows a vendor-management program (inventory, risk tiering, control reviews, contractual clauses, and audit/assurance as needed).
Q: Can customers object to a new subprocessor?
Yes — controllers may object in writing within 15 days of receiving a Subprocessor Change Notice, on reasonable data protection grounds. If no objection is raised within this period, the change is deemed accepted. If an objection cannot be resolved, the customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees. See DPA Section 6 for full details.
Subprocessors details (expanded)
Amazon Web Services
Location: Ireland, European Union
Security certifications: SOC 2 Type II and more
Data processed: Anonymized content, email address, IP address.
Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.
DPA signed: Yes – incorporated into terms
AssemblyAI
Location: European Union or United States (explicit choice)
Security certifications: SOC 2 Type II
Data processed: User-added content (when using transcription).
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
Gladia
Location: European Union
Security certifications: GDPR Compliant and SOC 2 Type II in progress
Data processed: User-added content (when using transcription).
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
OpenAI
Location: United States
Security certifications: SOC 2 Type II
Data processed: User-added content
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
Microsoft Azure AI
Location: European Union
Security certifications: SOC 2 Type II
Data processed: User-added content
Use: Audio and video transcription
DPA signed: Yes – incorporated into terms
LlamaIndex
Location: European Union
Security certifications: SOC 2 Type II
Data processed: User-added content
Use: PDF/document parsing
DPA signed: Yes – incorporated into terms
PostHog
Location: European Union
Security certifications: SOC 2 Type II
Data processed: User name, email address, IP address, analytics
Use: Product analytics
DPA signed: Yes – incorporated into terms
Questions & Answers
Questions & Answers
Does NEXT AI train on my customer data?
No. Your customer data is used exclusively to build and maintain your organization’s private customer memory. There is no data retention by NEXT AI or any underlying LLM provider for training purposes.
What security certifications does NEXT AI have?
NEXT AI is SOC 2 Type 2 certified and compliant with GDPR and CCPA. Additional capabilities include automatic PII removal, AES-256 encryption at rest, TLS 1.2+ in transit, SAML-based SSO, SCIM user provisioning, centralized security controls for model access and agent rules, and third-party penetration testing.
How does NEXT AI handle PII in customer feedback?
NEXT AI removes PII from customer feedback by default using advanced AI models. Your customer memory is built on the substance of what customers say — themes, patterns, signals — without retaining personal identifiers. PII protection is applied automatically across all sources and modalities.
Can I use my own AI model with NEXT AI?
Yes. NEXT AI is LLM-agnostic. You can bring your own model, giving you full control over which models process your data while benefiting from NEXT AI’s memory architecture, encoding, and workflow delivery capabilities.
Is NEXT AI compliant with GDPR?
Yes. NEXT AI is fully GDPR and CCPA compliant, including data residency controls, right to deletion, data processing agreements, and the ability to manage models, privacy, and agent rules globally.