Skip to content.


NAVEX maintains comprehensive security and privacy commitments for all Customer Data processed within the Services provided to its customers. These commitments are detailed in our Data Processing Addendum (“DPA”) and our Data Security Addendum (“DSA”).

Due to the Services being provided on a multi-tenant SaaS based model across the entirety of our customer base, we are unable to modify our security and privacy program to allow us to treat one customer or its Customer Data differently from other customers. For this reason, NAVEX is unable to adapt its contract templates to individual customer requirements. Because NAVEX is unable to apply protections differently, NAVEX protects and is committed to protecting all Customer Data in line with the most stringent data protection and security standards, including the GDPR and SOC 2.

Please visit our Data Privacy Resource Center for more information on our privacy and security program.

Data Transfer Mechanism for EU and UK Personal Data

NAVEX relies on the EU Standard Contractual Clauses alongside the United Kingdom International Data Transfer Addendum (collectively, the “SCCs”) as its appropriate data transfer mechanism for EU and UK personal data. Our interpretation is that the SCCs may apply differently to each NAVEX entity. Where applicable, the SCCs are incorporated as part of NAVEX’s standard DPA as detailed below.

How to Execute the DPA and DSA

Please complete, sign, and submit the desired document via the e-signature process detailed in the applicable link below. The addendum, by its terms, will be incorporated into your existing agreement with NAVEX.


For Customers contracted directly with our US- based entity, NAVEX Global, Inc., it is our interpretation the SCCs apply regardless of your hosting location. The SCCs are incorporated into this DPA.

DPA Available here

EU Hosted Customers contracted with NAVEX European entities DPA

For those EU-hosted customers contracted with our European entities, NAVEX Global UK Limited, GCS Compliance Services Europe Unlimited Company, or WhistleB Whistleblowing Centre AB, it is our interpretation that the New Controller to Processor SCCs do not apply due to the United Kingdom’s adequacy decision. We have appropriate New Processor to Processor SCCs in place to care for the transfers taking place via our affiliates and sub-processors. Regardless, we are here to support our customers with their compliance efforts and are willing to enter into those Controller to Processor SCCs at your discretion (see below for stand-alone sets of SCCs for execution).

DPA Available here

Stand Alone SCCs

Many customers have an existing DPA with NAVEX and prefer to supplement their current addendum with the new SCCs only, including the UK Addendum and a Switzerland Addendum.

SCCs Available here


All Customers - DSA

Our stringent security requirements are applied across the entirety of our customer base.

DSA Available here

Questions? Please contact our dedicated Privacy Team by emailing