Version 2026-05-22 · Last updated 22 May 2026
We collect the information you provide when you create a workspace or accept an invitation (name, email, role) plus the operational records you store in the product (assets, work orders, attachments). We do not collect biometric or sensitive financial data.
We process your personal data under the consent you give when you accept these terms. Tenant administrators may additionally process personal data under the legitimate interest of operating their organisation.
Each operator chooses the hosting region. KSA-resident deployments keep all workspace data inside Saudi Arabia.
We use the following sub-processors to deliver NextEAM. Each processes personal data only on our documented instructions and is bound by a data-processing agreement covering confidentiality, security, and breach-notification obligations consistent with PDPL Art. 17:
| Sub-processor | Purpose | Region |
|---|---|---|
| Alibaba Cloud (Aliyun) | Compute, storage, managed database (primary infrastructure) | Riyadh, KSA |
| Microsoft 365 / Exchange Online | Transactional email delivery (invitations, password resets, system notifications) | EU / global Microsoft regions |
| Anthropic, OpenAI | AI features (optional per tenant; PII-masked prompts) | USA |
For the broader compliance posture and procurement artifacts, see our trust and security page. The current sub-processor list is published with the Data Processing Agreement and is available on request via dpo@nexteam.me. We notify tenant administrators 30 days before adding or replacing any sub-processor that processes personal data on behalf of customer workspaces.
We publish a Data Processing Agreement aligned to PDPL obligations. The DPA is signed with every paying tenant and is available on request to qualified enterprise prospects. Request a copy via dpo@nexteam.me — we respond within two business days.
In the event of a personal data breach we notify the Saudi Data & AI Authority (SDAIA) within 72 hours per PDPL Article 22, and notify affected tenant administrators in the same window. Our internal response procedure follows a documented runbook covering detection, containment, severity classification, regulator and customer notification, and post-incident review.
Next Tech Corporation has designated a Data Protection Officer (DPO) responsible for PDPL compliance, data-subject rights handling, and oversight of processing activities.
DPO contact: dpo@nexteam.me · Next Tech Corporation, Riyadh, Kingdom of Saudi Arabia.
The DPO is reachable for data-subject rights requests (access, rectification, deletion, consent withdrawal), questions about how your personal data is processed, and breach disclosures. We aim to respond within 30 days as required by PDPL Art. 4.
For tenant-administrator-routed questions, contact your tenant administrator. For DPO matters, write directly to dpo@nexteam.me.