A person enjoying Navan on their laptop

Ensuring Trust: Navan's Secure Approach

At Navan, trust is embedded in everything we do. Security and privacy serve as the cornerstones of the trust our customers and investors place in us. We openly share our operational procedures and work closely with our customers and partners to meet their security needs.

Visual representation of the Navan trust resource web page

Trust Portal

Safeguarding our customers' information is of the utmost importance to Navan. To demonstrate our commitment, we offer a transparent trust profile that empowers you to use our Travel & Expense platform with full confidence and fulfill your regulatory requirements. Please review our Trust Portal by using the link below.

Product Security Features

Application Security

To ensure the continued security of its applications, Navan’s comprehensive Application Security program is intricately involved and integrated with its Secure Software Development Life Cycle (SDLC) process. The security team collaborates closely with the development team to incorporate security measures at every step of the SDLC, including annual penetration testing and regular application security testing as part of the CI/CD pipeline. Navan's website, microservices, and Application Programming Interfaces (APIs) regularly undergo vulnerability and penetration testing, security scans, threat detection, and security assessment testing conducted by cybersecurity professionals.

Detection and response

Navan's Detection & Response team is dedicated to threat detection engineering, vulnerability management, incident response, and crisis communication management. Navan vigilantly monitors its production environments to identify and address any vulnerabilities that might compromise data security. Our comprehensive incident response plans and playbook ensure that security events are managed promptly and effectively, minimizing impact and allowing business operations to return to normal swiftly. 

Infrastructure and Cloud security

Navan's platform and applications are hosted in AWS cloud data centers located across multiple regional availability zones. Our strategy for securing customer data leverages robust AWS security features, including Virtual Private Clouds (VPCs), Security Groups, the AWS Key Management Service (KMS), and more. AWS data center facilities employ innovative secure architectural engineering methodologies, which are directly incorporated into the Navan platform and infrastructure.

Network security

Navan has established detailed operating policies, procedures, and processes designed to manage the overall quality and integrity of our environment effectively. We actively monitor network activity for anomalies 24/7 and respond to security events within minutes. In addition, we've implemented proactive security measures, including perimeter defense and network intrusion prevention systems (IPSs). These IPSs monitor critical network segments for atypical network patterns in the customer environment, as well as traffic between different service tiers.

Security governance

We consider our employees to be our first line and strongest defense against cyber threats. Our team receives regular training and updates on security education and best practices to drive awareness, reduce risk, and remain vigilant against potential threats. Ongoing application security training is mandatory for our developers, and Navan adheres to a multitude of industry best practices and recommendations, including those from the Open Web Application Security Project (OWASP) and other industry-standard control systems.

Encryption

Navan transfers clients' data using multi-layered security mechanisms, fortified networks, and Transport Layer Security (TLS) encryption for data 'in transit'. For sensitive data 'at rest' in storage, we utilize Advanced Encryption Standard (AES), the current industry standard for modern commercial business applications. We regularly review and update our encryption protocols, ensuring they continue to meet industry standards and effectively counter the latest encryption-breaking tactics.

A Navan user enjoying Navan software security

Bug bounty program

Navan's Bug Bounty program encourages security researchers to identify and responsibly disclose potential vulnerabilities. For more details and to report a vulnerability, please visit our Bug Bounty page and review our terms.

Security certifications

Navan maintains a formal and comprehensive security program designed to safeguard against security threats or data breaches, prevent unauthorized access, and uphold the security and integrity of our customers' data. The specifics of our security program are outlined in our third-party security audits and international certifications. Regular audits by third-party assessors evaluate our internal controls, ensuring the protection of the security, confidentiality, integrity, availability, and privacy of the information our customers entrust to us.

AICPA SOC 1 TYPE 2AICPA SOC 2 TYPE 2ISO 27001PCI DSS Certified Level 1 Service Provider
Privacy Policy

For detailed information on how we manage and protect your personal data, kindly refer to our Privacy Policy. Should you have further questions regarding privacy, please do not hesitate to contact us at [email protected].

Contact

Should you have any questions, concerns, or incidents to report, please don't hesitate to contact us at [email protected] – we prioritize data security and are committed to maintaining a secure environment.