NAVEX Data Privacy Resource Center

Privacy is a top priority for NAVEX, and we are committed to protecting one of your most valuable assets – your data.

NAVEX is committed to continual proactive communication in the face of a shifting global data privacy landscape. We dedicate significant resources to anticipate, interpret, and adapt our privacy program to changes in international privacy law. Recent decisions by the European Union Court of Justice are likely to have raised questions for our customers – NAVEX continues to assess the potential impact such rulings may have on our customers and make appropriate changes as we work to support their compliance objectives.

Furthermore, NAVEX’s worldwide operations are structured to protect customers from data privacy breaches and support regulatory compliance to the greatest extent feasible. We embody a companywide “culture of privacy” and adhere to a “privacy by design” principle for our products and services.

Read on to learn more about the specific ways NAVEX works to protect your organization’s data. 

Protecting Customer Data After Schrems II

Even without the protections offered by the (now invalid) Privacy Shield, NAVEX helps customers comply with global regulations using broadly accepted data privacy measures. With New Standard Contractual Clauses (SCCs), supplementary measures recommended by the EDPB, strong encryption and other technical measures designed to prevent improper access, and low likelihood of public authority disclosure requests, our customers can expect any data transfers to be made in line with data protection requirements.

Key findings of our data transfer risk assessments:

• Internal analysis and external counsel review lead us to believe NAVEX data transfers do not fall within the typical focus of US surveillance law. We also offer to provide supplementary measures to protect any data transferred.
• Based on the nature of our services and data processing activities, public authority requests are exceedingly rare. NAVEX has never received a FISA, EO12333, or CLOUD Act request.
• The New Standard Contractual Clauses can be applied to protect customer data transfers, including customers who elect US hosting, contract with our US entity, transfer between our US and European entities, and transfers between NAVEX and our sub-processors.
• Data is encrypted in transit and at rest.
• Customers have the option to select EU servers for our service applications – NAVEX has offered EU-based contact centers and data storage since 2013.
• NAVEX continually assesses and develops its contractual, technical, and organizational safeguards to protect data transfers.

Still have questions? Please contact our dedicated Privacy Team by emailing privacy@navexglobal.com.

How can I be sure my data is secure?

NAVEX maintains a written information security program built with administrative, physical, and technical safeguards to ensure the security and confidentiality of our customers’ data. These measures protect our customers against anticipated security threats or hazards, prevents unauthorized access, and ensures secure disposal of data according to applicable industry standards

Customers who are interested in more detail about our information security program are encouraged to review our Standardized Information Gathering Questionnaire (SIG), which is updated annually and available to customers upon request.

How does NAVEX test their data security?

NAVEX proactively ensures the security of our applications through frequent vulnerability testing, adherence to global security standards (ISO 27001), and regular security program audits. Penetration testing and SOC II Type 2 audits are conducted by independent third parties.

Who has access to my data?

NAVEX follows the principle of “least privilege” when granting employee access to systems to limit exposure to the minimum access necessary to provide our services. In addition to regular cybersecurity and personal privacy training, all employee access to “backend” systems is protected by multifactor authentication and stringent password requirements.

Where is my data stored?

Depending on customer location, which NAVEX entity they have contracted with and their specific data obligations, customer data will be hosted in either the EU or the US. NAVEX products use data centers in the US (Dallas) and EU (Frankfurt), each of which meet Tier III designation requirements. Individual center standards, when combined with our multi-center architecture, equate to Tier IV or better data reliability standards.

Which certifications and compliance standards do your data center adhere to?

We hold our hosting providers to the same high organizational standards as our own organization when it comes to protecting customer data. Our data centers adhere to the following standards and certifications:

Is my data encrypted?

NAVEX Global employs encryption at rest using either full-disk encryption or within the database using TDE. All data on untrusted systems are encrypted in flight using TLS.

For more detail on storage in relation to the specific product or service used by you, as a customer, please contact your account executive or our customer support team.

Is my data backed up?

Backups are stored in our data center in each region (US or EU, as determined by customer allocation) and replicated to a backup data center within the same region through encrypted and secure channels. Our databases are constantly replicated, and our systems backed up nightly to meet NAVEX’s defined Recovery Point Objective.

Without the Privacy Shield, how is data transferred between the EU and US?

Even after the Schrems II ruling, customers can rest assured that NAVEX has implemented effective processes, structures, and safeguards to enable data transfers between the EU and US that comply with applicable international law. NAVEX uses New Standard Contractual Clauses (SCCs), recommended supplemental measures, and additional contractual mechanisms to help eliminate uncertainty and facilitate the effective use of our products.

How does NAVEX deal with requests for customer data from public authorities or other private entities?

Government access requests are rare, NAVEX has established response policies and processes to defend your data against such requests. Every request is reviewed by our legal team to ensure it has a valid legal basis and challenged where there are grounds to do so. While NAVEX has never received a FISA, EO12333, or CLOUD Act request, in recent years we have received a limited number of formal requests for customer data from courts, investigative bodies and non-governmental private parties (typically for information requested in civil actions), which are detailed in our annually published Transparency Report.

Nearly all requests for data are related to our AlertLine and EthicsPoint products. While requests are often overbroad when received, our legal team works to narrow the scope to only relevant reports. NAVEX has never created a backdoor or master key for any of our products or services and have never allowed any government unfettered or direct access to our servers.

Do contact center agents have access to my data?

The highly trained agents who process hotline intake calls through our 24x7 global contact centers receive customer data in a limited capacity. Once reports are certified and submitted to the secure system, agents no longer have any access to customer data.

The only exception to this rule is in the case of report follow-up – if a reporter calls back and can provide the report key and password set up during the initial report, agents can access report details to provide information to the caller, including status updates or company responses. Hotline users can also use these credentials to follow up on their cases using the web intake site.

Contact center agents are subject to rigorous pre-employment screening, continual training, and do not have access to our underlying database.