GDPR Compliance

Last updated: 6/29/2025

Nexogen AI is fully compliant with the General Data Protection Regulation (GDPR), ensuring the highest standards of data protection and privacy for EU residents. This document outlines our comprehensive approach to GDPR compliance.

1. EU Infrastructure and Data Sovereignty

EU-Based Infrastructure

All Nexogen AI services are hosted on EU-based infrastructure to ensure data sovereignty and compliance with GDPR requirements. Our data centers are located within the European Union, providing guaranteed data residency and protection under EU law.

  • • All servers located within EU member states
  • • EU-based cloud providers (AWS EU regions, Google Cloud EU)
  • • No data transfer outside EU without explicit consent
  • • Compliance with local data protection laws

Data Sovereignty

We maintain full control over data location and processing, ensuring that EU user data remains within EU borders and is subject to EU data protection laws.

  • • Complete data residency control
  • • EU-based processing and storage
  • • Protection under EU legal framework
  • • No third-party access to EU data
2. Encryption and Security Standards

End-to-End Encryption

We implement industry-leading encryption standards to protect your data at every stage of processing and storage.

  • • AES-256 encryption for data at rest
  • • TLS 1.3 encryption for data in transit
  • • Client-side encryption for sensitive files
  • • Encrypted backups and archives

Security Infrastructure

  • • Multi-factor authentication (MFA) for all accounts
  • • Role-based access controls (RBAC)
  • • Regular security audits and penetration testing
  • • 24/7 security monitoring and threat detection
  • • Secure key management and rotation
3. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

Contract Performance

Processing is necessary for the performance of our transcription services contract with you.

Legitimate Interests

Processing is necessary for our legitimate interests in providing and improving our services, ensuring security, and preventing fraud.

Consent

Where required, we obtain explicit consent for specific processing activities, such as marketing communications.

Legal Obligations

Processing is necessary to comply with legal obligations, such as tax requirements and data retention laws.

4. Data Protection Principles

Lawfulness, Fairness, and Transparency

  • • All data processing is based on clear legal grounds
  • • Processing activities are transparent and communicated to users
  • • Fair treatment of all data subjects
  • • Clear privacy notices and information

Purpose Limitation

  • • Data is collected for specified, explicit, and legitimate purposes
  • • No further processing incompatible with original purposes
  • • Clear documentation of processing purposes
  • • Regular review of processing activities

Data Minimization

  • • Only necessary data is collected and processed
  • • Regular data audits to ensure minimization
  • • Avoidance of excessive data collection
  • • Purpose-driven data collection practices

Accuracy

  • • Reasonable steps to ensure data accuracy
  • • Prompt correction of inaccurate data
  • • User tools for data verification
  • • Regular data quality assessments

Storage Limitation

  • • Data retention periods clearly defined
  • • Automatic deletion of expired data
  • • Regular review of retention policies
  • • Secure deletion methods for sensitive information

Integrity and Confidentiality

  • • Appropriate security measures implemented
  • • Protection against unauthorized access
  • • Encryption of data at rest and in transit
  • • Regular security assessments and updates
5. Data Subject Rights

Under GDPR Articles 15-22, you have the following rights regarding your personal data:

Right to Access (Article 15)

You can request confirmation of whether we process your personal data and receive a copy of the data we hold about you, including information about the processing purposes, categories of data, recipients, and retention periods.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data. We will respond to such requests without undue delay.

Right to Erasure (Article 17)

You can request deletion of your personal data in specific circumstances, such as when the data is no longer necessary, consent is withdrawn, or processing is unlawful.

Right to Portability (Article 20)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Restriction (Article 18)

You can request restriction of processing in specific circumstances, such as when you contest data accuracy or object to processing.

Exercising Your Rights

  • • Submit requests through our privacy portal or email
  • • We respond to all requests within 30 days
  • • No fees for standard requests
  • • Identity verification required for security
  • • Right to lodge complaints with supervisory authorities
6. Data Protection Measures

Technical Safeguards

Encryption

AES-256 encryption for data at rest, TLS 1.3 for data in transit

Access Controls

Multi-factor authentication, role-based access, session management

Audit Logging

Comprehensive audit trails for all data access and modifications

Data Segregation

Logical and physical separation of different data categories

Organizational Safeguards

Data Protection Officer
  • • Dedicated DPO for compliance oversight
  • • Independent reporting structure
  • • Regular compliance assessments
  • • Contact: dpo@nexogen.ai
Staff Training
  • • Regular GDPR training programs
  • • Data handling procedures
  • • Incident response training
  • • Confidentiality agreements

Infrastructure Security

EU-Based Infrastructure
  • • All data stored within EU borders
  • • EU-based cloud providers
  • • Data sovereignty compliance
  • • Local data protection laws
Physical Security
  • • Secure data centers with 24/7 monitoring
  • • Restricted access controls
  • • Environmental controls
  • • Disaster recovery procedures
7. Data Breach Procedures

Breach Detection and Assessment

  • • Automated monitoring systems for breach detection
  • • 24/7 security operations center
  • • Immediate incident response procedures
  • • Risk assessment within 72 hours

Notification Requirements

  • • Supervisory authority notification within 72 hours
  • • Data subject notification without undue delay
  • • Detailed breach documentation and reporting
  • • Regular updates on breach status

Remediation and Prevention

  • • Immediate containment and mitigation measures
  • • Root cause analysis and lessons learned
  • • Security improvements and policy updates
  • • Regular breach response testing
8. Contact Information

For GDPR-related inquiries and to exercise your rights:

Data Protection Officer

dpo@nexogen.ai

Privacy Team

privacy@nexogen.ai

Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not addressed your concerns adequately.