NAVEX Data Privacy Resource Center

NAVEX is committed to continual proactive communication in the face of a shifting global data privacy landscape. We dedicate significant resources to anticipate, interpret, and adapt our privacy program to changes in international privacy law. Recent decisions by the European Union Court of Justice are likely to have raised questions for our customers – NAVEX continues to assess the potential impact such rulings may have on our customers and make appropriate changes as we work to support their compliance objectives.
Furthermore, NAVEX’s worldwide operations are structured to protect customers from data privacy breaches and support regulatory compliance to the greatest extent feasible. We embody a companywide “culture of privacy” and adhere to a “privacy by design” principle for our products and services.
Read on to learn more about the specific ways NAVEX works to protect your organization’s data.
Even without the protections offered by the (now invalid) Privacy Shield, NAVEX helps customers comply with global regulations using broadly accepted data privacy measures. With New Standard Contractual Clauses (SCCs), supplementary measures recommended by the EDPB, strong encryption and other technical measures designed to prevent improper access, and low likelihood of public authority disclosure requests, our customers can expect any data transfers to be made in line with data protection requirements.
Still have questions? Please contact our dedicated Privacy Team by emailing privacy@navexglobal.com.
NAVEX is committed to limiting the processing of customer data as much as is feasible in the provision of our services. We have built processes, organizational structures, and technical measures throughout our company to ensure we meet or exceed global privacy principles.
NAVEX’s Data Processing Addendum is regularly reviewed and updated to reflect applicable data privacy requirements, including the following provisions:
Click here to learn more about executing a Data Processing Addendum and/or a Data Security Addendum with NAVEX.
NAVEX implements industry-leading security standards:
Standardized Data Questionnaires
Annual Security Reviews
Regular Vulnerability Scanning
International Security Standards
Encrypted Customer Data Backups
NAVEX maintains a written information security program built with administrative, physical, and technical safeguards to ensure the security and confidentiality of our customers’ data. These measures protect our customers against anticipated security threats or hazards, prevents unauthorized access, and ensures secure disposal of data according to applicable industry standards
Customers who are interested in more detail about our information security program are encouraged to review our Standardized Information Gathering Questionnaire (SIG), which is updated annually and available to customers upon request.
NAVEX proactively ensures the security of our applications through frequent vulnerability testing, adherence to global security standards (ISO 27001), and regular security program audits. Penetration testing and SOC II Type 2 audits are conducted by independent third parties.
NAVEX follows the principle of “least privilege” when granting employee access to systems to limit exposure to the minimum access necessary to provide our services. In addition to regular cybersecurity and personal privacy training, all employee access to “backend” systems is protected by multifactor authentication and stringent password requirements.
Depending on customer location, which NAVEX entity they have contracted with and their specific data obligations, customer data will be hosted in either the EU or the US. NAVEX products use data centers in the US (Dallas) and EU (Frankfurt), each of which meet Tier III designation requirements. Individual center standards, when combined with our multi-center architecture, equate to Tier IV or better data reliability standards.
We hold our hosting providers to the same high organizational standards as our own organization when it comes to protecting customer data. Our data centers adhere to the following standards and certifications:
Certifications & Compliance |
North America (Dallas) |
EU (Frankfurt) |
HIPAA |
✓ |
N/A |
HITRUST |
✓ |
|
ISO 27001 |
✓ |
✓ |
PCI DSS |
✓ |
✓ |
NIST 800-53 |
✓ |
|
SOC 1 |
✓ |
✓ |
SOC 2 |
✓ |
✓ |
Energy Star |
✓ |
N/A |
Uptime Institute M&O Approval |
✓ |
NAVEX Global employs encryption at rest using either full-disk encryption or within the database using TDE. All data on untrusted systems are encrypted in flight using TLS.
For more detail on storage in relation to the specific product or service used by you, as a customer, please contact your account executive or our customer support team.
Backups are stored in our data center in each region (US or EU, as determined by customer allocation) and replicated to a backup data center within the same region through encrypted and secure channels. Our databases are constantly replicated, and our systems backed up nightly to meet NAVEX’s defined Recovery Point Objective.
Even after the Schrems II ruling, customers can rest assured that NAVEX has implemented effective processes, structures, and safeguards to enable data transfers between the EU and US that comply with applicable international law. NAVEX uses New Standard Contractual Clauses (SCCs), recommended supplemental measures, and additional contractual mechanisms to help eliminate uncertainty and facilitate the effective use of our products.
Government access requests are rare, NAVEX has established response policies and processes to defend your data against such requests. Every request is reviewed by our legal team to ensure it has a valid legal basis and challenged where there are grounds to do so. While NAVEX has never received a FISA, EO12333, or CLOUD Act request, in recent years we have received a limited number of formal requests for customer data from courts, investigative bodies and non-governmental private parties (typically for information requested in civil actions), which are detailed in our annually published Transparency Report.
Nearly all requests for data are related to our AlertLine and EthicsPoint products. While requests are often overbroad when received, our legal team works to narrow the scope to only relevant reports. NAVEX has never created a backdoor or master key for any of our products or services and have never allowed any government unfettered or direct access to our servers.
The highly trained agents who process hotline intake calls through our 24x7 global contact centers receive customer data in a limited capacity. Once reports are certified and submitted to the secure system, agents no longer have any access to customer data.
The only exception to this rule is in the case of report follow-up – if a reporter calls back and can provide the report key and password set up during the initial report, agents can access report details to provide information to the caller, including status updates or company responses. Hotline users can also use these credentials to follow up on their cases using the web intake site.
Contact center agents are subject to rigorous pre-employment screening, continual training, and do not have access to our underlying database.
NAVEX is fully committed to upholding the highest standards of protection of our customers’ personal data. We recognize that the effective collection, processing, and leverage of personal data generates incredible value for a broad swath of industries, and understand that data will continue to shape the global business landscape for the foreseeable future. Organizations around the globe are regularly entrusted with their users’ sensitive data – data that is essential to these organizations’ business. As a trusted partner and service provider to thousands of such organizations worldwide, NAVEX embraces a shared duty of responsible, ethical usage and safe handling of this invaluable resource.
NAVEX designs applications, platforms and systems to support the promise of data privacy, confidentiality, and integrity. As a company we adhere to the philosophy of privacy by design and by default – we limit access to customer data as much as is feasible in the implementation of our solutions, delivery of our services, and support of our customers. We recognize the value of customer agency concerning data handling and empower our customers to create an implementation that best serves their specific organizational needs. We aim to one day eliminate the transfer of data outside of the EU. In the meantime, we pledge to maintain the highest global standards of personal data protection applicable.
NAVEX is proud to help our customers cultivate and safeguard their users’ trust. We take privacy seriously – it is a crucial component of our mission to create a more ethical world and commitment to do the right things right.