Skip to content.

NAVEX Data Privacy Resource Center

Privacy is a top priority for NAVEX, and we are committed to protecting one of your most valuable assets – your data.

NAVEX is committed to continual proactive communication in the face of a shifting global data privacy landscape. We dedicate significant resources to anticipate, interpret, and adapt our privacy program to changes in international privacy law. Recent decisions by the European Union Court of Justice are likely to have raised questions for our customers – NAVEX continues to assess the potential impact such rulings may have on our customers and make appropriate changes as we work to support their compliance objectives.

Furthermore, NAVEX’s worldwide operations are structured to protect customers from data privacy breaches and support regulatory compliance to the greatest extent feasible. We embody a companywide “culture of privacy” and adhere to a “privacy by design” principle for our products and services.

Read on to learn more about the specific ways NAVEX works to protect your organization’s data. 


Protecting Customer Data After Schrems II

Even without the protections offered by the (now invalid) Privacy Shield, NAVEX helps customers comply with global regulations using broadly accepted data privacy measures. With New Standard Contractual Clauses (SCCs), supplementary measures recommended by the EDPB, strong encryption and other technical measures designed to prevent improper access, and low likelihood of public authority disclosure requests, our customers can expect any data transfers to be made in line with data protection requirements.

Key findings of our data transfer risk assessments:

  • Internal analysis and external counsel review lead us to believe NAVEX data transfers do not fall within the typical focus of US surveillance law. We also offer to provide supplementary measures to protect any data transferred.
  • Based on the nature of our services and data processing activities, public authority requests are exceedingly rare. NAVEX has never received a FISA, EO12333, or CLOUD Act request.
  • The New Standard Contractual Clauses can be applied to protect customer data transfers, including customers who elect US hosting, contract with our US entity, transfer between our US and European entities, and transfers between NAVEX and our sub-processors.
  • Data is encrypted in transit and at rest.
  • Customers have the option to select EU servers for our service applications – NAVEX has offered EU-based contact centers and data storage since 2013.
  • NAVEX continually assesses and develops its contractual, technical, and organizational safeguards to protect data transfers.

Still have questions? Please contact our dedicated Privacy Team by emailing

NAVEX is committed to limiting the processing of customer data as much as is feasible in the provision of our services. We have built processes, organizational structures, and technical measures throughout our company to ensure we meet or exceed global privacy principles. 

NAVEX’s Data Processing Addendum is regularly reviewed and updated to reflect applicable data privacy requirements, including the following provisions:

  • Processing of personal data is only carried out on our customers’ instruction.
  • Processed data is subject to standard data protection requirements.
  • All personnel authorized to process personal data are subject to stringent confidentiality policies and procedures.
  • Customers are notified of requests from Data Subjects upon receipt. NAVEX will not respond without customer consent, and will assist customers in meeting their requirements along with responding to such requests.
  • NAVEX utilizes strict confidentiality agreements and a rigorous employee training program to ensure any personnel involved in processing personal data maintain confidentiality. These agreements extend beyond the conclusion of an employee’s tenure with NAVEX.
  • NAVEX has appointed a data protection officer who can be contacted directly at
  • NAVEX’s sub-processors are subject to the same stringent standards and organizational requirements. NAVEX is liable for the acts and omissions of its sub-processors to the same extent if we were performing the services ourselves.

Click here to learn more about executing a Data Processing Addendum and/or a Data Security Addendum with NAVEX.


Our products are designed to help you protect your organization’s data, comply with global regulations, and cultivate trust.

NAVEX implements industry-leading security standards:

  • Standardized Data Questionnaires

    • Our annual Standardized Information Gathering Questionnaire (SIG) – available upon request – details our robust organizational data security controls.
  • Annual Security Reviews

    • Each year, NAVEX engages an independent third party to conduct a rigorous “SOC 2 Type 2” audit, as well as third-party PEN tests performed on all web applications and infrastructure.
  • Regular Vulnerability Scanning

    • Monthly web application scans, weekly internal network scans, and daily external network scans ensure the integrity of our information systems and hosted applications.
  • International Security Standards

    • NAVEX’s primary data centers, located in the EU and US, maintain the requirements for policies, procedures and processes mandated by the international ISO 27001 data security standard.
  • Encrypted Customer Data Backups

    • Data is protected by encryption at rest using either full-disk encryption or within the database using TDE. Our databases are backed up every 15 minutes, backups are replicated using secure channels, and our systems are backed up nightly.

Data Privacy FAQs

How can I be sure my data is secure?

NAVEX maintains a written information security program built with administrative, physical, and technical safeguards to ensure the security and confidentiality of our customers’ data. These measures protect our customers against anticipated security threats or hazards, prevents unauthorized access, and ensures secure disposal of data according to applicable industry standards

Customers who are interested in more detail about our information security program are encouraged to review our Standardized Information Gathering Questionnaire (SIG), which is updated annually and available to customers upon request.

How does NAVEX test their data security?

NAVEX proactively ensures the security of our applications through frequent vulnerability testing, adherence to global security standards (ISO 27001), and regular security program audits. Penetration testing and SOC II Type 2 audits are conducted by independent third parties.

Who has access to my data?

NAVEX follows the principle of “least privilege” when granting employee access to systems to limit exposure to the minimum access necessary to provide our services. In addition to regular cybersecurity and personal privacy training, all employee access to “backend” systems is protected by multifactor authentication and stringent password requirements.

Where is my data stored?

Depending on customer location, which NAVEX entity they have contracted with and their specific data obligations, customer data will be hosted in either the EU or the US. NAVEX products use data centers in the US (Dallas) and EU (Frankfurt), each of which meet Tier III designation requirements. Individual center standards, when combined with our multi-center architecture, equate to Tier IV or better data reliability standards.

Which certifications and compliance standards do your data center adhere to?

We hold our hosting providers to the same high organizational standards as our own organization when it comes to protecting customer data. Our data centers adhere to the following standards and certifications:

Certifications & Compliance

North America (Dallas)

EU (Frankfurt)




ISO 27001


NIST 800-53



Energy Star


Uptime Institute M&O Approval


Is my data encrypted?

NAVEX Global employs encryption at rest using either full-disk encryption or within the database using TDE. All data on untrusted systems are encrypted in flight using TLS.

For more detail on storage in relation to the specific product or service used by you, as a customer, please contact your account executive or our customer support team.

Is my data backed up?

Backups are stored in our data center in each region (US or EU, as determined by customer allocation) and replicated to a backup data center within the same region through encrypted and secure channels. Our databases are constantly replicated, and our systems backed up nightly to meet NAVEX’s defined Recovery Point Objective.

Without the Privacy Shield, how is data transferred between the EU and US?

Even after the Schrems II ruling, customers can rest assured that NAVEX has implemented effective processes, structures, and safeguards to enable data transfers between the EU and US that comply with applicable international law. NAVEX uses New Standard Contractual Clauses (SCCs), recommended supplemental measures, and additional contractual mechanisms to help eliminate uncertainty and facilitate the effective use of our products.

How does NAVEX deal with requests for customer data from public authorities or other private entities?

Government access requests are rare, NAVEX has established response policies and processes to defend your data against such requests. Every request is reviewed by our legal team to ensure it has a valid legal basis and challenged where there are grounds to do so. While NAVEX has never received a FISA, EO12333, or CLOUD Act request, in recent years we have received a limited number of formal requests for customer data from courts, investigative bodies and non-governmental private parties (typically for information requested in civil actions), which are detailed in our annually published Transparency Report.

Nearly all requests for data are related to our AlertLine and EthicsPoint products. While requests are often overbroad when received, our legal team works to narrow the scope to only relevant reports. NAVEX has never created a backdoor or master key for any of our products or services and have never allowed any government unfettered or direct access to our servers.

Do contact center agents have access to my data?

The highly trained agents who process hotline intake calls through our 24x7 global contact centers receive customer data in a limited capacity. Once reports are certified and submitted to the secure system, agents no longer have any access to customer data.

The only exception to this rule is in the case of report follow-up – if a reporter calls back and can provide the report key and password set up during the initial report, agents can access report details to provide information to the caller, including status updates or company responses. Hotline users can also use these credentials to follow up on their cases using the web intake site.

Contact center agents are subject to rigorous pre-employment screening, continual training, and do not have access to our underlying database.

Our Commitment to Data Privacy

We are all responsible for valuing, respecting and protecting the data entrusted to us.

NAVEX is fully committed to upholding the highest standards of protection of our customers’ personal data. We recognize that the effective collection, processing, and leverage of personal data generates incredible value for a broad swath of industries, and understand that data will continue to shape the global business landscape for the foreseeable future. Organizations around the globe are regularly entrusted with their users’ sensitive data – data that is essential to these organizations’ business. As a trusted partner and service provider to thousands of such organizations worldwide, NAVEX embraces a shared duty of responsible, ethical usage and safe handling of this invaluable resource.

NAVEX designs applications, platforms and systems to support the promise of data privacy, confidentiality, and integrity. As a company we adhere to the philosophy of privacy by design and by default – we limit access to customer data as much as is feasible in the implementation of our solutions, delivery of our services, and support of our customers. We recognize the value of customer agency concerning data handling and empower our customers to create an implementation that best serves their specific organizational needs. We aim to one day eliminate the transfer of data outside of the EU. In the meantime, we pledge to maintain the highest global standards of personal data protection applicable.

NAVEX is proud to help our customers cultivate and safeguard their users’ trust. We take privacy seriously – it is a crucial component of our mission to create a more ethical world and commitment to do the right things right.