Nextyn IQ
Sign InBook a Demo
Security & Compliance

Research that's defensible. Data that's protected.

Nextyn IQ is built for regulated workflows. Every claim is sourced, every expert anonymised, every access event logged.

Compliance certifications

🔐

SOC 2 Type II

Annual audit — March 2026

🇪🇺

GDPR

Data Processing Agreement available

🇸🇬

PDPA (Singapore)

Personal Data Protection Act compliant

📋

ISO 27001

Preparation in progress, target Q4 2026

The EXP-001 Anonymisation Protocol

Every expert identity is protected end-to-end — from call preparation to published intelligence.

01

Identifier Substitution

Real names are replaced with structured codes (EXP-001, EXP-002…) before any transcript leaves the recording layer. Human reviewers see codes, not names.

02

Title Genericisation

Job titles are generalised to seniority + function descriptors: 'Former VP, Asia Logistics' not 'Former VP Operations at [Company]'. Identifiable role combinations are reviewed by our compliance team.

03

Sector Descriptors

Sector references use tier-1 generic categories: 'Southeast Asian grocery logistics', not a named operator. Case studies and published intelligence never include specific company names or deal identifiers.

04

Enforcement Layer

Our AI review layer flags 94% of potential re-identification vectors before human review. Anything above a 0.4 risk score is escalated to our compliance team before the call is released to analysts.

Role-based access control

Three roles — Owner, Editor, Viewer — with granular permissions per action.

Role permissions
ActionOwnerEditorViewer
View projects and claims
Add expert calls
Edit thesis and annotations
Export claim ledgers / reports
Manage project members
Delete calls or projects
Access API keys

Complete audit trail

What we log

  • Every expert call ingestion (timestamp, analyst, project, call duration)
  • Every claim extraction and annotation event
  • Every export and PDF generation
  • Every login, permission change, and project access
  • Every API call including batch transcript uploads

Retention & access

  • Audit logs retained for 7 years
  • Exportable as CSV or via API (Owner role only)
  • Real-time log streaming available on Enterprise tier
  • SIEM integration available (Splunk, Datadog, Elastic)

Incident response SLAs

We follow a three-phase response protocol for security incidents.

< 1 hour

Detection & triage

< 4 hours

Containment

< 24 hours

Customer notification

Regulatory notification: < 72 hours per GDPR Art. 33

Responsible disclosure

We maintain a responsible disclosure programme for security researchers. If you discover a potential vulnerability, email security@nextyn.com with a description, reproduction steps, and your contact details. We respond to all valid reports within 5 business days and coordinate a disclosure timeline with the reporter. We do not pursue legal action against good-faith researchers following responsible disclosure guidelines.

Request compliance documentation

We provide compliance documentation to qualified enquirers for due diligence and vendor assessment.

Security FAQ

Request compliance documentationBook a Demo →