Skip to content.

Your Data is Safe with Us

We know you take data privacy seriously – and so do we.

Wherever your data is hosted, NAVEX governance, risk and compliance (GRC) software meets global data privacy requirements – protecting your data, privacy and peace of mind.

woman on computer

The EU and UK GDPR

If your data is hosted in the US, your data is held in compliance with the requirements of the EU General Data Protection Regulation (GDPR). If your data is hosted in the EU, your data is safely stored and protected in Frankfurt, Germany, and backed up in Amsterdam, the Netherlands, also in full compliance with the GDPR. 

Get further hosting details here.

image of EU flag with padlock

NAVEX software meets the requirements of:

SOC II Type 2 Audit

An independent third-party annual audit report that confirms NAVEX system and service security upholds your data availability and confidentiality.

Data Privacy Framework certification

NAVEX has certification for cross-border data transfers to the U.S. in compliance with EU law. Our certification for the Data Privacy Framework satisfies any Schrems issues for transfers to the U.S.  

For further information on how NAVEX processes customer data, get in touch with our data privacy team at

NAVEX goes further to protect your data

On Schrems II and the Data Privacy Framework

While the Schrems II decision brought data transfers to U.S. businesses into focus, it doesn’t directly impact NAVEX operations. What bolsters our position here is our strict alignment with the new Data Privacy Framework (DFP). This ensures a compliant and secure channel for data transfers between the EU/UK and our U.S. business operations. This makes our data transfers fully compliant and eliminates the need for additional measures.

Additionally, U.S. surveillance laws detailed within the Schrems II decision don’t directly apply to us. That means the Schrems II decision has effectively no bearing on regulatory risk around data transfers and privacy if you use NAVEX services.

The reasoning for this is:

  1. The affected data collection practices involve the collection of communications data, which applies almost exclusively to large email and social media organizations.

  2. Other organizations come into scope as they may be considered a security risk under U.S. law. NAVEX also doesn’t fall into this category.

  3. NAVEX is classified as a U.S. person under U.S. law. In the unlikely event of NAVEX coming into the scope of the ruling, the U.S. government is prevented from targeting the communications of NAVEX (and its third parties) without very specific and strict procedures to follow. These extra protections from the U.S. person classification would not apply to organizations that aren’t classified as a U.S. person – including those based in the EU.

For extra coverage, NAVEX also uses supplementary measures recommended by the EDP on top of using the latest Standard Contractual Clauses (SCCs).  

*This is the reasonable opinion of NAVEX following the counsel of internal and external legal experts. For more technical details, customers can reach out to our data privacy team for additional info.

No stone left unturned

Our customers trust our security standards. We put in the work to earn that trust. 

Consistent monthly web application scans, weekly internal network scans and daily external network scans for systems and applications keep your data safe.  

Third-party independent experts also PEN test all our web applications and infrastructure every year – because there are always ways to improve and our experts are always alert.

image of binary code as flooring with miniature people walking on it

Delicate data handled delicately

Limiting access to your data naturally means a tighter standard of privacy and protection.  

As well as our built-in software security and certifications, we limit access to customer data in several other ways: 

  • Service delivery – we only process customer data to provide the services agreed upon. 
  • Our authorization – we follow the principal of lease privilege, providing our employees with the minimum level of access they need to provide your services.  
  • Partner advocacy – we ensure our sub-processors understand, respect and enact the same level of confidentiality as we do at all times. 
  • Password protection – we protect all employee access to backend systems with multifactor authentication and stringent password requirements – as everyone should. 

We also ensure all our employees undergo regular cybersecurity, data and personal privacy training to keep their awareness and knowledge up to date.

image of laptop with code coming out of the screen

Have more questions about our data privacy processes and policies?

Just reach out to our dedicated Privacy Team at