At Navan, trust is embedded in everything we do. Security and privacy serve as the cornerstones of the trust our customers and investors place in us. We openly share our operational procedures and work closely with our customers and partners to meet their security needs.
Safeguarding our customers' information is of the utmost importance to Navan. To demonstrate our commitment, we offer a transparent trust profile that empowers you to use our travel and expense platform with full confidence and fulfil your regulatory requirements. Please review our trust portal by using the link below.
To ensure the continued security of its applications, Navan’s comprehensive Application Security program is intricately involved and integrated with its Secure Software Development Life Cycle (SDLC) process. The security team collaborates closely with the development team to incorporate security measures at every step of the SDLC, including annual penetration testing and regular application security testing as part of the CI/CD pipeline. Navan's website, microservices, and Application Programming Interfaces (APIs) regularly undergo vulnerability and penetration testing, security scans, threat detection, and security assessment testing conducted by cybersecurity professionals.
Navan's detection and response team is dedicated to threat-detection engineering, vulnerability management, incident response, and crisis communication management. Navan vigilantly monitors its production environments to identify and address any vulnerabilities that might compromise data security. Our comprehensive incident response plans and playbook ensure that security events are managed promptly and effectively, minimising impact and allowing business operations to return to normal swiftly.
Navan's platform and applications are hosted in AWS cloud data centres located across multiple regional availability zones. Our strategy for securing customer data leverages robust AWS security features, including Virtual Private Clouds (VPCs), Security Groups, the AWS Key Management Service (KMS), and more. AWS data centre facilities employ innovative secure architectural engineering methodologies, which are directly incorporated into the Navan platform and infrastructure.
Navan has established detailed operating policies, procedures, and processes designed to manage the overall quality and integrity of our environment effectively. We actively monitor network activity for anomalies 24/7 and respond to security events within minutes. In addition, we've implemented proactive security measures, including perimeter defence and network intrusion prevention systems (IPSs). These IPSs monitor critical network segments for atypical network patterns in the customer environment, as well as traffic between different service tiers.
We consider our employees to be our first line and strongest defence against cyber threats. Our team receives regular training and updates on security education and best practices to drive awareness, reduce risk, and remain vigilant against potential threats. Ongoing application security training is mandatory for our developers, and Navan adheres to a multitude of industry best practices and recommendations, including those from the Open Web Application Security Project (OWASP) and other industry-standard control systems.
Navan transfers clients' data using multi-layered security mechanisms, fortified networks, and Transport Layer Security (TLS) encryption for data 'in transit'. For sensitive data 'at rest' in storage, we utilise Advanced Encryption Standard (AES), the current industry standard for modern commercial business applications. We regularly review and update our encryption protocols, ensuring they continue to meet industry standards and effectively counter the latest encryption-breaking tactics.
Navan's Bug Bounty programme encourages security researchers to identify and responsibly disclose potential vulnerabilities. For more details and to report a vulnerability, please visit our Bug Bounty page and review our terms.
Navan maintains a formal and comprehensive security programme designed to safeguard against security threats or data breaches, prevent unauthorised access, and uphold the security and integrity of our customers' data. The specifics of our security programme are outlined in our third-party security audits and international certifications. Regular audits by third-party assessors evaluate our internal controls, ensuring the protection of the security, confidentiality, integrity, availability, and privacy of the information our customers entrust to us.
For detailed information on how we manage and protect your personal data, kindly refer to our Privacy Policy. Should you have further questions regarding privacy, please do not hesitate to contact us at [email protected].
Should you have any questions, concerns, or incidents to report, please don't hesitate to contact us at [email protected]. We prioritise data security and are committed to maintaining a secure environment.