compliance
Compliance & trust
Intelligence work is only useful when it can stand up to scrutiny. This page sets out the regulatory posture, privacy practices, and operational discipline that govern Next Sight, the next-sight.com website, and the Nexus and Sec Manager platforms.
Operating principles
Non-negotiables on every engagement.
- Lawful use
- Engagements are scoped against the lawful authority and policies of the requesting organisation before any collection begins. Authority, purpose, and limits are documented and reviewed.
- GDPR-aware
- Data minimisation, purpose limitation, lawful basis, and retention controls are built into our workflows and tooling — not bolted on. We process personal data only where we can defend why.
- Chain of custody
- Provenance, time, source, and handler are recorded for every artifact across collection, analysis, and reporting, so findings stand up to internal review, regulators, and courts.
- Secure-by-design
- Hardened delivery, secure communications, encryption in transit and at rest, least-privilege access, and audit logging are defaults across our infrastructure and products.
Regulatory posture
Frameworks we operate under.
We do not claim certifications we do not hold. The statements below describe how Next Sight aligns its operations and products with the regulations and standards that matter for our clients.
GDPR — Regulation (EU) 2016/679
Next Sight d.o.o. acts as data controller for next-sight.com and for the Nexus and Sec Manager platforms. We operate on documented lawful bases, honour data-subject rights, maintain records of processing activities, and use Standard Contractual Clauses (SCCs) where personal data leaves the EEA.
EU AI Act — Regulation (EU) 2024/1689
Our AI features are designed against the Act's risk-tier framework. We do not deploy prohibited practices, we keep a human in the loop for material analytical outputs in Nexus, and AI-generated content is labelled as such. Training-data provenance and model behaviour are documented for higher-risk uses.
NIS2 — Directive (EU) 2022/2555
Our operational security programme is aligned with NIS2 expectations on risk management, supply-chain security, incident handling, and reporting. We support clients in regulated sectors with the artefacts they need for their own NIS2 obligations.
ePrivacy & Slovenian ZEKom-2
Cookies and similar technologies are governed by the EU ePrivacy Directive and Slovenia's Electronic Communications Act (ZEKom-2). Non-essential storage requires prior, informed, freely-given consent, captured before any analytics cookie is set in the EEA, UK, or Switzerland.
Convention 108+ & cross-border work
For cross-border engagements we apply the Council of Europe modernised Convention 108+ principles alongside GDPR, ensuring consistent protections even where local law is less prescriptive.
Professional & operational standards
Our investigative work follows the code of conduct of the Council of International Investigators and the academic and ethical standards of the Institute for Security and Strategic Research, where members of our leadership team hold formal positions.
Website privacy
How next-sight.com handles your data.
This section covers the marketing website only. The Nexus and Sec Manager platforms have their own privacy policies, linked below.
What we collect
Standard request metadata (IP address, user-agent, referrer) processed by our hosting provider for security and abuse prevention; anonymised analytics where consent has been given; and the information you choose to share when you contact us (name, email, organisation, message).
Google Analytics 4
When enabled, we use Google Analytics 4 to understand aggregate site usage. IP addresses are anonymised, advertising features are disabled, and data-retention is set to the GA4 minimum. Inside the EEA, the UK, and Switzerland, GA4 is loaded only after you opt in — the consent banner defaults to denied. Google LLC acts as processor under Google's Data Processing Terms; transfers outside the EEA rely on Standard Contractual Clauses and Google's supplementary measures.
HubSpot contact form
Our contact form is provided by HubSpot, Inc. (United States), acting as our processor under a Data Processing Agreement and EU Standard Contractual Clauses. We use the data you submit only to respond to your enquiry and to manage the resulting commercial relationship. HubSpot may set cookies necessary to deliver the form; these are not used for cross-site tracking by us. Lawful basis: Art. 6(1)(b) GDPR (steps prior to a contract) or Art. 6(1)(f) (legitimate interest in responding to a business enquiry).
| Cookie | Purpose | Type | Retention |
|---|---|---|---|
| ns_consent_v1 | Stores your analytics consent choice so the banner is not shown repeatedly. | Strictly necessary (first-party) | 12 months |
| _ga, _ga_* | Google Analytics 4 — anonymised measurement of site usage. Set only after consent in the EEA/UK/CH. | Analytics (first-party, Google as processor) | Up to 13 months |
Product policies
Nexus and Sec Manager have their own policies.
Each platform documents how it handles account data, subscription data, investigation and workflow content, audit logs, and sub-processors. Those policies govern use of the respective platforms.
Sec Manager
Security management platform for structured oversight of operations, controls, and incidents.
Your rights
Data-subject rights under GDPR.
Access
Obtain confirmation of processing and a copy of your personal data.
Rectification
Correct inaccurate or incomplete personal data.
Erasure
Request deletion where the lawful basis no longer applies.
Restriction
Limit how we process your data in specific circumstances.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing based on legitimate interests, including profiling.
To exercise any of these rights, request a briefing via our contact form and we will route your request to the right team. You can also lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec, ip-rs.si) or with the supervisory authority of your EU member state.
Engagement discipline
How we run a job.
Authority and scope are agreed in writing before any collection starts. Sources, methods, and handlers are recorded for every artifact, with timestamps and provenance, so findings remain reproducible and defensible. AI-assisted analysis is reviewed by a qualified human before it leaves the platform. Access to case data is least-privilege and audited. Materials are retained only for as long as the lawful purpose requires, then securely destroyed.
Data controller
Who is responsible.
Next Sight d.o.o.
Brnčičeva ulica 13, 1231 Ljubljana–Črnuče, Slovenia
Registration number: 9680390000
VAT ID: SI42908159
Contact: request a briefing
Frequently asked
Compliance, briefly.
- Is Next Sight GDPR compliant?
- Yes. Next Sight d.o.o. operates under the EU General Data Protection Regulation as data controller for this website and for the Nexus and Sec Manager platforms. We apply data minimisation, purpose limitation, and documented retention; we honour data-subject rights; and we use Standard Contractual Clauses for any transfers outside the EEA.
- How do you comply with the EU AI Act?
- Our AI features are designed against the EU AI Act's risk tiers. We do not implement prohibited practices, AI-generated outputs are clearly identified, and material analytical outputs in Nexus keep a human reviewer in the loop. Higher-risk uses are accompanied by documented data provenance and model behaviour.
- Do you use Google Analytics on next-sight.com?
- Yes — Google Analytics 4 with IP anonymisation. In the EEA, UK, and Switzerland, GA4 is loaded only after explicit consent (default-deny). No advertising signals, no remarketing, and the data retention period is set to GA4's minimum.
- What happens when I submit the contact form?
- The contact form is hosted by HubSpot, Inc. (United States), which processes the data on our behalf under a Data Processing Agreement and Standard Contractual Clauses. We use what you submit only to respond to your enquiry and manage the resulting commercial relationship.
- Where is data stored?
- Website data and analytics processing for this site are handled within the EU/EEA wherever possible, with documented transfers under SCCs for the parts processed by Google and HubSpot. For Nexus and Sec Manager, hosting and data-residency details are described in each product's privacy policy.
- How do I exercise my rights or file a complaint?
- Request a briefing via the contact form at next-sight.com/contact and we will route your request to the right team. You also have the right to lodge a complaint with the Slovenian supervisory authority, the Information Commissioner (Informacijski pooblaščenec — ip-rs.si), or with the supervisory authority of your EU member state.
Need a deeper compliance conversation?
We're happy to walk procurement, legal, and security reviewers through how we work and the artefacts you'll need.