Wherever your data is hosted, NAVEX governance, risk and compliance (GRC) software meets global data privacy requirements – protecting your data, privacy and peace of mind.
If your data is hosted in the US, your data is held in compliance with the requirements of the EU General Data Protection Regulation (GDPR). If your data is hosted in the EU, your data is safely stored and protected in Frankfurt, Germany, and backed up in Amsterdam, the Netherlands, also in full compliance with the GDPR.
Get further hosting details here.
An independent third-party annual audit report that confirms NAVEX system and service security upholds your data availability and confidentiality.
NAVEX has certification for cross-border data transfers to the U.S. in compliance with EU law. Our certification for the Data Privacy Framework satisfies any Schrems issues for transfers to the U.S.
For further information on how NAVEX processes customer data, get in touch with our data privacy team at privacy@navex.com.
On Schrems II and the Data Privacy Framework
While the Schrems II decision brought data transfers to U.S. businesses into focus, it doesn’t directly impact NAVEX operations. What bolsters our position here is our strict alignment with the new Data Privacy Framework (DFP). This ensures a compliant and secure channel for data transfers between the EU/UK and our U.S. business operations. This makes our data transfers fully compliant and eliminates the need for additional measures.
Additionally, U.S. surveillance laws detailed within the Schrems II decision don’t directly apply to us. That means the Schrems II decision has effectively no bearing on regulatory risk around data transfers and privacy if you use NAVEX services.
The affected data collection practices involve the collection of communications data, which applies almost exclusively to large email and social media organizations.
Other organizations come into scope as they may be considered a security risk under U.S. law. NAVEX also doesn’t fall into this category.
NAVEX is classified as a U.S. person under U.S. law. In the unlikely event of NAVEX coming into the scope of the ruling, the U.S. government is prevented from targeting the communications of NAVEX (and its third parties) without very specific and strict procedures to follow. These extra protections from the U.S. person classification would not apply to organizations that aren’t classified as a U.S. person – including those based in the EU.
For extra coverage, NAVEX also uses supplementary measures recommended by the EDP on top of using the latest Standard Contractual Clauses (SCCs).
*This is the reasonable opinion of NAVEX following the counsel of internal and external legal experts. For more technical details, customers can reach out to our data privacy team for additional info.
Our customers trust our security standards. We put in the work to earn that trust.
Consistent monthly web application scans, weekly internal network scans and daily external network scans for systems and applications keep your data safe.
Third-party independent experts also PEN test all our web applications and infrastructure every year – because there are always ways to improve and our experts are always alert.
Limiting access to your data naturally means a tighter standard of privacy and protection.
As well as our built-in software security and certifications, we limit access to customer data in several other ways:
We also ensure all our employees undergo regular cybersecurity, data and personal privacy training to keep their awareness and knowledge up to date.
Just reach out to our dedicated Privacy Team at privacy@navex.com.