This Data Processing Addendum (“DPA”) forms part of the Navan Terms of Service or other written or electronic agreement between Navan and Customer which governs the use of online services from Navan (identified as “Services” in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Customer Personal Data. The DPA is binding in the original English language only. The English language version of the DPA shall control in the event of a conflict or inconsistency with any translated versions. Any versions of the DPA in any other language are for convenience only.
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Navan Processes Customer Personal Data for which such Authorized Affiliates qualify as the Controller or Business. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates (if any). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the event of a conflict between this DPA and the Agreement in connection with terms and conditions relating to Processing of Customer Data, this DPA will take precedence over the Agreement.
HOW TO EXECUTE THIS DPA
This DPA consists of the main body of the DPA, and Schedules 1, 2, 3 and 4. To receive a fully executed copy of this DPA for your records, please click here.
DATA PROCESSING TERMS
Capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement.
1.1. “Authorized Affiliate” means any Customer Affiliate (as defined in the Agreement) that Customer has permitted to allow access to and use of the Services by the Affiliates’s employees, contractors, and agents, as described in the Agreement.
1.2. “Business” has the meaning set forth in Section 1798.140(c) of the CCPA.
1.3. “Business Purpose” as the meaning set forth in Section 1798.140(d) of the CCPA.
1.4. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
1.5. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.6. “Customer Personal Data” means Personal Data Processed by Navan on behalf of Customer in its performance of the Services under the Agreement.
1.7. “Data Protection Laws and Regulations” means all laws and regulations, including applicable to the Processing of Customer Personal Data under the Agreement, including the CCPA, the EU GDPR and the UK GDPR.
1.8. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.9. “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.10."EU SCCs" means the standard contractual clauses for international transfers of personal data to third countries set out in European Commission decision (EU) 2021/914 of 4 June 2021 and of which Module Two (Transfer controller to processor) along with the appendices applicable to Module Two in Schedule 3 forms part of this agreement.
1.11.“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Laws and Regulations.
1.12.“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.13.“Processor” means the entity which Processes Personal Data on behalf of the Controller.
1.14. “Security and Privacy Documentation” means the security policy and controls applicable to the specific Services purchased by Customer, as updated from time to time, and described at https://navan.com/security/ and in Navan Whistic profile, or as otherwise made reasonably available by Navan.
1.15. “Sell” has the meaning set forth in Section 1798.140(ad) of the CCPA.
1.16. “Service Provider” has the meaning set forth in in Section 1798.140(v) of the CCPA.
1.17. “Share” has the meaning set forth in Section 1798.140(ah) of the CCPA.
1.18.“Standard Contractual Clauses” means, collectively, the EU SCCs and the UK SCCs.
1.19.“Sub-processor” means any Processor engaged by Navan, in accordance with Section 5 (Sub-processors) of this DPA.
1.20.“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
1.21.“Navan” means Navan, Inc. and its Affiliates.
1.22."UK GDPR" means the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.
1.23."UK SCCs" or "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office of the United Kingdom, Version B1.0, in force 21 March 2022.
2.PROCESSING OF CUSTOMER PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and/or Business and Navan is the Processor and/or Service Provider.
2.2 Customer’s Processing of Customer Personal Data. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions to Navan for the Processing of Customer Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data.
2.3 Navan's Processing of Customer Personal Data. Navan shall treat Customer Personal Data as Confidential Information and shall only Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions and Customer’s use of the platform for the following purposes: (i) Processing in accordance with the Agreement and applicable Service Order; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Notwithstanding anything to the contrary in this Agreement, Navan shall inform Customer if, in its opinion, a documented instruction from Customer infringes the GDPR or data protection laws.
2.4 Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Details of the Processing) to this DPA.
3.RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request. Navan shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights in Customer Personal Data under Data Protection Laws and Regulations (“Data Subject Request”). Taking into account the nature of the Processing, Navan shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Navan shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Navan is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any non-negligible costs arising from Navan’s provision of such assistance.
4.1 Confidentiality. Navan shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data and have executed written confidentiality agreements. Navan shall ensure that such confidentiality obligations survive the termination of the personnel engagement, to the extent set forth in the Agreement.
4.2 Reliability. Navan shall take commercially reasonable steps to ensure the reliability of any Navan personnel engaged in the Processing of Customer Personal Data.
4.3 Data Protection Officer. Navan has appointed a data protection officer. The appointed person may be reached at [email protected].
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that, subject to the requirements of this Section 5 (Sub-processors), (i) Navan’s Affiliates may be retained as Sub-processors; and (ii) Navan may engage third-party Sub-processors in connection with the provision of the Services. Navan has entered into a written agreement with each Sub-processor containing data protection obligations that are consistent with those in this Agreement with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
5.2 List of Current Sub-processors. Navan shall make available to Customer the current list of Sub-processors for the Services identified in the Customer’s Navan administrator webpage. Such Sub-processor lists shall include the identities of those Sub-processors, their country of location and the duties of such Sub-processor with respect to Customer Personal Data (“Sub-processor Lists”). CUSTOMER’S AGREEMENT TO THIS DPA CONSTITUTES CUSTOMER’S WRITTEN CONSENT AND AUTHORIZATION FOR NAVAN TO ENGAGE THE SUB-PROCESSORS NAMED ON THE SUB-PROCESSOR LIST.
5.3 Informed Consent and Objection Right for New Sub-processors. Prior to retaining or engaging a new Sub-processor, Navan shall notify Customers of its intent to retain or engage a new Sub-processor by updating its subprocessor list in the Navan Admin Dashboard; such notice shall include the identity of such new Sub-processor, their country of location and the duties of such new Sub-processor with respect to Customer Personal Data (“Notice of New Sub-processor”). Customer may object to Navan’s use of a new Sub-processor by notifying Navan promptly in writing within 20 (20) days after Navan’s notice (the “Objection Period”). IF CUSTOMER DOES NOT OBJECT IN WRITING TO A NOTICE OF NEW SUB-PROCESSOR PRIOR TO THE EXPIRATION OF THE APPLICABLE OBJECTION PERIOD, THEN CUSTOMER WILL BE DEEMED TO HAVE AUTHORIZED NAVAN’S ENGAGEMENT OF THE NEW SUB-PROCESSOR AS SET FORTH IN SUCH NOTICE OF NEW SUB-PROCESSOR.
5.4 Objection to a Sub-processor. In the event Customer reasonably objects to a Sub-processor on data protection grounds, Navan will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Navan is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Service Order(s) with respect only to those Services which cannot be provided by Navan without the use of the objected-to Sub-processor by providing written notice to Navan.
5.5 Liability. Navan shall be liable for the acts and omissions of its Sub-processors to the same extent Navan would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6.SHARING CUSTOMER PERSONAL DATA WITH THIRD PARTY CONTROLLERS
6.1 To the extent required to provide the Services, Navan may share Customer Personal Data on behalf of Customer with third-party Controllers, such as airlines, hotels, rail companies, car rental companies, and travel networks and agencies, that provide services to Customer or its Authorized Users.
7.1 Controls for the Protection of Customer Personal Data. Customer maintains ownership of and control over all Customer Personal Data. Customer grants limited rights to Process Customer Personal Data within the Customer account but Customer maintains full control and authority of all Processed Customer Personal Data. Navan shall maintain appropriate technical and organizational measures designed to protect Customer Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data) within Navan’s control, and the confidentiality and integrity of Customer Personal Data within Navan’s control, as set forth in the Security and Privacy Documentation. Navan regularly monitors compliance with these measures. Navan will not materially decrease the overall security of the Services during a subscription term.
7.2 Third-Party Certifications and Audits. Navan has obtained the third-party certifications and audits set forth in the Security and Privacy Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Navan shall make available to Customer that is not a competitor of Navan (or Customer’s independent, third-party auditor that is not a competitor of Navan) a copy of Navan’s then most recent third-party audits or certifications, as applicable.
8.CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
Navan maintains security incident management policies and procedures specified in the Security and Privacy Documentation and shall, unless instructed otherwise by law enforcement, notify Customer without undue delay, and, where feasible, not later than 72 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer Personal Data, transmitted, stored or otherwise Processed by Navan or its Sub-processors of which Navan becomes aware (a “Customer Data Incident”). Navan shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Navan deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Navan’s reasonable control. The obligations herein shall not apply to Customer Data Incidents that are attributable to Customer or Customer’s Users.
9.RETURN OR DELETION OF CUSTOMER PERSONAL DATA
Upon request following termination or expiration of the Agreement, and at the choice of Customer, Navan shall (i) return any Customer Personal Data in its possession or control to Customer; or (ii) to the extent allowed by applicable law, delete Customer Personal Data and existing copies of Customer Personal Data in its possession or control. If Navan is required to retain copies of Customer Personal Data under applicable laws, Navan will isolate, keep confidential, and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws. Unless requested otherwise, Customer Personal Data may be deleted by means of obfuscation.
10.1 Contractual Relationship. The parties acknowledge and agree that, by agreeing to this DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Navan and each such Authorized Affiliate subject to the provisions of the Agreement and this DPA. Each Authorized Affiliate agrees to be bound by the obligations set forth in this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
10.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Navan under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
10.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Navan, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
10.3.1 Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Navan directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth in Section 11, below). 10.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Customer Personal Data, take all reasonable measures to limit any impact on Navan by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.
11.LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement.
For the avoidance of doubt, Navan's total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and the DPA shall apply in the aggregate for all claims under both the Agreement and the DPA, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to this DPA.
Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
12.CALIFORNIA SPECIFIC PROVISIONS
12.1 CCPA. This Section 12 applies to Navan’s Processing of Customer Personal Data that is subject to the CCPA, and where Navan is acting as a Service Provider.
12.2 Permitted Use. Navan shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement, or as otherwise permitted by the CCPA. Navan shall not: (a) Sell or Share Customer Personal Data; (b) disclose Customer Personal Data to any third party for the commercial benefit of Navan or any third party; (c) retain, use, disclose, or otherwise Process Customer Personal Data outside of Navan’s direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by the CCPA; or (d) combine Customer Personal Data with Personal Data that Navan receives from, or on behalf of, other persons, or collects from its own interaction with a Data Subject, except as permitted under the CCPA. Without limiting the foregoing, Navan may retain, use, or disclose Personal Data (1) to retain and employ another Service Provider as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA; (2) for internal use by Navan to build or improve the quality of its services, (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Navan reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.
12.3 Compliance with the CCPA. Navan shall comply with all CCPA obligations applicable to Navan and provide the level of privacy protection as required under the CCPA. Navan will notify Customer if Navan makes a determination that it can no longer meet its obligations under the CCPA, and Customer has the right, upon providing notice to Navan, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including where Navan has notified Customer that it can no longer meet its CCPA obligations. Customer may take reasonable and appropriate steps to ensure that Navan is Processing Customer Personal Data consistent with Customer’s CCPA obligations as laid out in Section 7.2, above.
12.4 De-identification. In the event the Agreement permits or instructs Navan to Process Customer Personal Data in de-identified form, Navan will ensure that any such information qualifies and remains qualified as de-identified information as defined by the CCPA. Navan will make no attempt to re-identify any Data Subject to whom such information relates, will publicly commit to maintaining and using such information without attempting to re-identify it, and will take reasonable measures to prevent such re-identification.
13.EUROPEAN AND UK SPECIFIC PROVISIONS
13.1 GDPR. This Section 13 applies to Navan’s Processing of Customer Personal Data that is subject to the EU GDPR and/or the UK GDPR (as applicable).
13.2 Data Privacy Impact Assessment. Upon Customer’s request, Navan shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligations under the EU GDPR and the UK GDPR to carry out a data privacy impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Navan. Navan shall provide reasonable assistance to Customer in cooperation or prior to consultation with the Supervisory Authority in the performance of its tasks relating to this Section 13.2 of this DPA, to the extent required under the EU GDPR and the UK GDPR.
13.3 Transfer mechanisms for data transfers. Subject to the additional terms in Schedule 1, for any transfers of Customer Personal Data under this DPA to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations, and are:
13.3.1 from the European Union, the European Economic Area and/or their member states, then the EU SCCs, Module 2 (Controller to Processor)apply to the Services listed in the Annex to the EU SCCs and are incorporated by reference to this DPA; 13.3.2 from the UK, then the UK SCCs apply to the Services listed in Appendix 1 to the UK SCCs, and are incorporated by reference to this DPA.
This DPA will become legally binding upon the date that Customer agrees to this DPA if it is completed after the effective date of the Agreement.
SCHEDULE 1 - TRANSFER MECHANISMS FOR EUROPEAN AND UK DATA TRANSFERS
1.ADDITIONAL TERMS FOR STANDARD CONTRACTUAL CLAUSES
1.1. Entities covered by the Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this Schedule 1 apply to (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area and/or the United Kingdom, which have signed Service Orders for the Services. For the purpose of the Standard Contractual Clauses and this Schedule 1, the aforementioned entities shall be deemed “data exporters”.
1.2. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Navan for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 8.1(a) of the EU SCCs and clause 5 of the UK SCCs (as applicable), the following is deemed an instruction by the Customer to process Customer Personal Data: (a) Processing in accordance with the Agreement and applicable Service Order(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
1.3. Appointment of new Sub-processors and List of current Sub-processors. Pursuant to Clause 5(h) of the UK SCCs (where applicable), Customer acknowledges and expressly agrees that (a) Navan's Affiliates may be retained as Sub- processors; and (b) Navan and Navan's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Navan shall make available to Customer the current list of Sub-processors in accordance with Section 5.2 of this DPA.
1.4. Appointment of New Sub-processors and Objection Right for new Sub-processors. Pursuant to Clause 9 of the EU SCCs (where applicable), Customer acknowledges and expressly agrees that Navan may engage new Sub-processors as described in Sections 5.2 and 5.3 of the DPA.
1.5. Copies of Sub-processor Agreements. The parties agree that the copies of the Sub-processor agreements that must be provided by Navan to Customer pursuant to Clause 5(j) of the UK SCCs or Clause 9(c) of the EU SCCs (as applicable) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Navan beforehand; and, that such copies will be provided by Navan, in a manner to be determined in its discretion, only upon request by Customer.
1.6. Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the UK SCCs and Clause 8.9 of the EU SCCs (as applicable) shall be carried out in accordance with the following specifications:
Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Navan shall make available to Customer that is not a competitor of Navan (or Customer’s independent, third-party auditor that is not a competitor of Navan) information regarding the Navan’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits set forth in the Security and Privacy Documentation to the extent Navan makes them generally available to its customers. In the event (a) Navan’s Security and Privacy Documentation is reasonably insufficient to demonstrate compliance with the Standard Contractual Clauses, (b) there is a Customer Data Incident, or (c) as directed by a Supervisory Authority, Customer may contact Navan in accordance with the “Notices” Section of the Agreement to request an on-site audit of the policies and procedures relevant to the protection of Customer Personal Data. Any audit must be conducted: (i) during Navan’s regular business hours; (ii) with reasonable advance notice to Navan; (iii) in a manner that prevents unnecessary disruption to Navan’s operations; and (iv) subject to reasonable confidentiality procedures. Customer shall reimburse Navan for any time expended for any such on-site audit at the Navan’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Navan shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Navan. Customer shall promptly notify Navan with information regarding any non-compliance discovered during the course of an audit.
1.7. Certification of Deletion. The parties agree that the certification of deletion of Customer Personal Data that is described in Clause 12(1) of the UK SCCs and Clause 16(d) of the EU SCCs shall be provided by Navan to Customer only upon Customer’s request.
1.8 Docking Clause. This option under Clause 7 of the EU SCCs shall not apply.
1.9 Supervision. Clause 13 of the EU SCCs shall apply as follows:
1.9.1: Where Customer is established in an EU member state, the supervisory authority responsible for ensuring Customer’s compliance with the EU GDPR as regards the data transfer shall act as competent supervisory authority. 1.9.2: Where Customer is not established in an EU member state, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) and has appointed a representative under Article 27(1) of the EU GDPR, the supervisory authority of the member state in which the representative is established shall act as competent supervisory authority. 1.9.3: Where Customer is not established in an EU member state, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) without having to appoint a representative pursuant to Article 27(2) of the EU GDPR, the Dutch Data Protection Authority shall act as competent supervisory authority. 1.9.4: Where Customer is established in the UK, the Information Commissioner's Office shall act as competent supervisory authority.
1.10 Notification of Government Access Requests. For the purpose of Clause 15(a) of the EU SCCs, Navan shall notify the Customer only and not the data subject in case of government access requests. Customer shall be solely responsible for promptly notifying the data subject as necessary
1.11 Governing law. For the purposes of Clause 17 of the EU SCCs, the governing law shall be that of the Netherlands.
1.12 Choice of law and Jurisdiction. For the purposes of Clause 18 of the EU SCCs, any dispute arising from the EU SCCs shall be resolved by the courts of the Netherlands.
1.13 Appendix. The appendix shall be completed as follows:
The contents of section 1 of Schedule 2 shall form Annex I.A;
The contents of sections 2-8 of Schedule 2 shall form Annex I.B;
The contents of Section 10 of Schedule 2 shall form Annex I.C.
The contents of Schedule 3 shall form Annex II.
1.14 Conflict. The SCCs are subject to this DPA and any additional safeguards set out hereunder. In the event of a conflict between the SCCs and this DPA, the terms of the SCCs shall control.
SCHEDULE 2 - DETAILS OF THE PROCESSING
Name: Customer and Customer affiliates
Address: As specified in the Service Order between Navan and Customer.Contact person’s name, position and contact details: As specified in the Service Order between Navan and Customer.
Activities relevant to the data transferred under these Clauses: Allowing its employees or other Authorized Users to book travel using the services of Data Importer and using these services for spend and policy management and other ancillary services.
Name: Navan, Inc. and Affiliates
Address: 3045 Park Blvd, Palo Alto, CA 94306
Activities relevant to the data transferred under these Clauses: Navan is a corporate travel solutions provider, which allows Customer’s Authorized Users to book travel, including flights, hotels, and car rentals, and submit relevant business expenses within the Services. Navan uses Customer Personal Data in order to complete bookings requested and submit expenses through the Services.
Role (controller/processor): Processor
2. Categories of data subjects whose personal data is transferred
Customer’s employees and any other users authorized by Customer to access the Processor’s services.
3. Categories of personal data transferred
The personal data transferred include the following categories of data:
Traveler first and last name*
Traveler email address*
Traveler mobile phone number*
Company business address
Account password or other service authentication credential
Traveler date of birth
Credit card information
Passport information (optional)
KTN/TSA-Pre number (optional)
Redress number (optional)
Loyalty clubs (optional)
Emergency contact information (optional)
Dietary preferences (optional)
Special accommodation requests (optional)
Traveler personal email address (for personal travel)
Cost center data (optional)
Traveler department (optional)
Traveler’s manager (optional)
*Data points are stored in the United States where Customer is using Navan’s Expense services.
4. Sensitive data transferred
COVID health data for travel (optional)
5. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
6. Nature of the processing
Navan is a corporate travel solutions provider and expense management provider. As part of the Services, Navan must Process certain Customer Personal Data of Customer and Customer’s Authorized Users, in order to fulfill requested travel bookings and services. Navan will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Security and Privacy Documentation, and as further instructed by Customer in its use of the Services.
7. Purpose(s) of the data transfer and further processing
The objective of Processing of Customer Personal Data by data importer is the performance of the Services pursuant to the Agreement, which includes the collection, organization, structuring, storage, retrieval, consultation, use, disclosure by transmissions, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the Personal Data.
8. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Customer may request deletion of its Customer Personal Data at any time upon written request to the extent Navan does not require such Customer Personal Data to be maintained in accordance with applicable laws. Customer Personal Data will be automatically deleted seven (7) years after termination of the Agreement except as otherwise required by applicable law.
9. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Navan’s subprocessor list in Customer’s admin dashboard.
10. Competent Supervisory Authority.
Where Customer is established in an EU member state, the supervisory authority responsible for ensuring Customer’s compliance with the EU GDPR as regards the data transfer shall act as competent supervisory authority.
Where Customer is not established in an EU member state, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) and has appointed a representative under Article 27(1) of the EU GDPR, the supervisory authority of the member state in which the representative is established shall act as competent supervisory authority.
Where Customer is not established in an EU member state, but falls within the territorial scope of application of the EU GDPR in accordance with Article 3(2) without having to appoint a representative pursuant to Article 27(2) of the EU GDPR, the Dutch Data Protection Authority shall act as competent supervisory authority.
Where Customer is established in the UK, the Information Commissioner's Office shall act as competent supervisory authority.
11. Technical and Organizational Measures
See Schedule 3.
SCHEDULE 3 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Navan technical and organizational measures to ensure security of Customer Data are described in its Whistic profile, which is provided to customers or prospective customers upon request.
Navan’s sub-processors maintain technical and organizational safeguards for protection of the security, confidentiality and integrity of Customer Personal Data, consistent with GDPR and the Standard Contractual Clauses.
SCHEDULE 4 – UK ADDENDUM
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date:Date of agreement.
Exporter (who sends the Restricted Transfer)
Full legal name: Customer and Customer Affiliates
Trading name (if different):
Main address (if a company registered address): As specified in the Service Order between Navan and Customer.
Official registration number (if any) (company number or similar identifier):
Full Name (optional):
Job Title: As specified in the Service Order between Navan and Customer.
Contact details including email: As specified in the Service Order between Navan and Customer.
Importer (who receives the Restricted Transfer)
Full legal name: Navan, Inc. and Affiliates
Trading name (if different): N/A
Main address (if a company registered address): 3045 Park Blvd, Palo Alto, CA 94306
Official registration number (if any) (company number or similar identifier): ZB056851
Job Title: Data Protection Officer
Signature (if required for the purposes of Section 2)
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
X The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Reference (if any):
Other identifier (if any):
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: Section 1 of Schedule 2.
Annex 1B: Description of Transfer: Sections 2-8 of Schedule 2
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Schedule 3.
Annex III: List of Sub processors (Modules 2 and 3 only): Posted in Navan Admin Dashboard.
Table 4: Ending this Addendum when the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19:
☐ neither Party
Part 2: Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Already have an account? Log in.