EXHIBIT A
NAVAN SECURITY ADDENDUM
This Navan Security Addendum (“Addendum”) is attached and incorporated into the Navan Service Order by and between Navan, Inc. and Customer (the “Agreement”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified by this Addendum, the terms of the Agreement shall remain in full force and effect until termination or expiration as provided therein.
1. Purpose. This Addendum sets forth the information security programs, infrastructure policies, and other security and data protection obligations that Navan has implemented and shall comply with in order to protect Customer Data from a Security Incident, as defined in the Agreement, for any period of time during which Navan has possession of or access to Customer Data. This Addendum applies in addition to any security, privacy, or such similar terms set forth in the Agreement. In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall control.
2. Processing. Navan will only process Customer Data collected or received by Customer in accordance with the Agreement, this Addendum, Navan’s Data Processing Addendum, and applicable law.
3. Information Security Management System. Navan has implemented and will maintain, update, and adhere to a written information security management program and infrastructure policy (“ISMS”) throughout the Term of the Agreement, available on Navan’s Trust Center (trust.navan.com). Navan’ ISMS complies with applicable laws, statutes, regulations, and orders as may be in effect from time to time, including those related to privacy and data protection, such as ISO and PCI-DSS. The ISMS includes, at a minimum: a security policy, organization of information security, asset management, human resources security, physical and environment security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and compliance. Navan’ ISMS also provides for: (i) continual assessment and re-assessment of the risks to the security of Customer Data while on systems maintained by Navan in connection with Services, including (a) identification of internal and external threats that could result in a Security Incident, (b) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of Customer Data, and (c) assessment of the sufficiency of policies, procedures, and information systems of Navan and other arrangements in place to control risks; and (ii) appropriate protection against such risks. Navan will review at least annually and update its ISMS as necessary to comply with any changes or updates to applicable laws, standard practices, and industry standards, and as appropriate given the Services provided. Navan shall not modify its ISMS in any manner that would breach any applicable laws or that would materially reduce the security, confidentiality, integrity, availability, or privacy of Customer Data.
4. Information Security Certifications. Navan has attained and will maintain an ISO 27001 certification. In addition, Navan has been audited by an independent certified public accountant who determined that Navan has and will maintain the appropriate safeguards and procedures in place and meets the standards required for a SOC 1 Type II, SOC 2 Type II, and PCI-DSS.
5. Information Security Infrastructure. Navan’ ISMS contains the administrative, technical, and physical safeguards outlined in this Section 5 designed to ensure the security, confidentiality, integrity, availability, and privacy of Customer Data and to prevent a Security Incident.
5.1. Authorized Persons. Navan will limit access to Customer Data solely to employees and contractors, including both technical and non-technical personnel, who have a need for access to Customer Data (“Authorized Person(s)”) and will train and require each Authorized Person to comply with Navan’ security requirements herein. Navan will be held fully responsible and primary liable for any Authorized Person’s failure to comply with this Addendum or the Agreement.
5.2. Access Controls. Navan’ administrative, technical, and physical safeguards adhere to (i) information security industry standard practices, similar to those identified in Informational Organization for Standardization 27001 (ISO/IEC 27001), and (ii) other applicable authoritative sources, such as SOC1 or SOC2. Navan has processes designed to ensure that it grants only Authorized Persons access to the Customer Data. Navan shall not authorize Authorized Persons to access, process, store, communicate, or transmit Customer Data if such access would violate Navan’ obligations under the Agreement, this Addendum, or applicable law. Each authorization Navan grants to Authorized Persons to access Customer Data must be approved by appropriate Navan management personnel. Navan will perform regular user access reviews and at least on an annual basis to verify Authorized Persons access privileges are still appropriate at the time of review. Navan will ensure it employs segregation of duties in its assignment of all critical job functions related to the Services involving Customer Data. All Authorized Persons’ access to Customer Data is via a unique user ID and all such access requires a zero-trust network access (ZTNA) , with multi-factor authentication.
5.3. Background Checks.Before receiving access to Customer Data, Authorized Persons shall pass a background verification consistent with industry standards conducted by or on behalf of Navan. Such background checks and resulting employment decisions are conducted in compliance with applicable laws.
5.4. Password Administration. Wherever passwords are used, Navan’ and Authorized Persons’ passwords used to access Customer Data will follow industry standard practices for minimum length, password complexity (minimum of twelve characters, upper case, lower case, numbers, and symbols), password expiration, and re-use. Where applicable, Navan will follow PCI DSS password requirements. Furthermore, as Navan adopts advanced authentication technologies, including but not limited to password-less systems based on the FIDO2x protocol using either passkeys or security keys, Navan will securely integrate and enforce these subsequent authentication measures, or equivalent standard industry practices, across systems that process Customer Data. Any future authentication method implemented must meet or exceed the security assurances.
5.5. Personnel Training. Navan shall provide regular training to Authorized Persons on security and privacy requirements applicable to Navan and such personnel’s job duties. Such training shall occur at least annually and upon initial employment or engagement. Additionally, all Navan personnel with access to Customer Data will sign Navan’s non-disclosure agreement (NDA).
5.6. Termination. Navan will remove an Authorized Person’s access within twenty-four (24) hours after such Authorized Person no longer requires access to Customer Data or after such Authorized Person’s last day of employment or engagement with Navan. Navan will disable and collect the personnel’s badge, laptop, and other assets that were granted to the employee as part of employment.
5.7. Vendor Management. Navan maintains a vendor risk management policy for vendors that process Customer Data designed to ensure each vendor maintains security measures consistent with Navan’ obligations in this Addendum. Vendors are assessed on a recurring basis based on the criticality level to provide the Navan Services.
5.8. Change Management. Navan has formal change management policy and procedures in place which outlines Navan’ expectations regarding the change process to ensure unauthorized changes are not made to production systems. These policies and procedures address the production infrastructure and software development lifecycle, change requests, approvals, and standard change implementation procedures.
5.9. Physical Security. Physical security safeguards will include physical safety and security safeguards at any facilities where Services are performed on Customer Data. Such information security safeguards will meet or exceed ISO 27001 requirements and are as rigorous as those procedures in effect at Navan facilities for the protection of Navan’ information of the same kind.
5.10. Encryption. Navan will encrypt all data at rest and in motion. Navan encrypts laptops, email servers, network file transfers, web transactions, and any other medium used to store Customer Data in connection with its performance of the Services. Navan uses commercial-grade, industry-standard strong cryptographic algorithms, protocols, and commercially reasonable key strengths for encryption of Customer Data at rest and will use, at a minimum, AES algorithm for encryption with a default value of 256-bit strength. Navan leverages Transport Layer (TLS) 1.2 (or better) for Customer Data transmitted over untrusted networks.Navan will align with the U.S. Executive Order 14144 and transition to using post-quantum cryptography (PQC) by the prescribed deadline (January 2, 2030).
5.11. Separation of Environment. Navan logically segregates the production environment from the development environment. Production data does not leave the production environment for use in the development or test environments.
5.12. Network Monitoring & Logging. Navan has in place industry standard intrusion detection or deception technologies, firewalls, and anti-virus protection, which function properly so long as Navan is accessing, processing, storing, communicating, or transmitting Customer Data (“Network Monitoring”). Navan will ensure that all of its operating systems and applications that are associated with accessing, processing, storing, communicating, or transmitting Customer Data are patched, updated, and secured within the following (“Remediation Timelines”): Critical (CVSS 9.0 - 10.0) vulnerabilities with immediate urgency and no later than 7 days, mitigate High (CVSS 7.0 - 8.9) risk vulnerabilities within 30 days, mitigate Moderate (CVSS 4.0 - 6.9) vulnerability risks in 90 days, and mitigate Low (CVSS 0.1 - 3.9) vulnerability risks in 180 days, Navan implements and uses industry standard end point detection and response (EDR) solutions to ensure that any software, systems, or networks that may interact with Customer’s systems, networks, or any Customer Data are not and do not become infected by any viruses, worms, time bombs, Trojan horses, or other harmful, malicious, or destructive code. Navan will maintain, throughout the Term of the Agreement and at all times while in the possession of or while having access to Customer Data, Network Monitoring at least as secure as the controls disclosed to Customer prior to execution of the Agreement. Logs captured from monitoring tools and services are further monitored, analyzed, and securely stored to prevent tampering. Per industry standard practices, such logs are retained for at least 12 months.
5.13. Secure Configuration. Navan will manage security configurations of its systems using industry standard practices, following standard security frameworks and configuration guides, designed to protect Customer Data from exploitation through vulnerable services and settings.
5.14. Data Loss Prevention. Navan shall utilize commercially reasonable efforts to deploy and manage technical Data Loss Prevention (DLP) measures intended to mitigate the risk of unauthorized access to or leakage of Customer Data.
5.15. Vulnerability Management. Navan performs regular internal and external testing to monitor the cloud environment using updated vulnerability databases and industry standard testing, including but not limited to external attack surface management (EASM) and Cloud security configuration management (CSPM) tools techniques. Any risks identified will be escalated internally and remediated per Navan’ Remediation Timelines. Navan engages independent third parties to conduct penetration tests on an annual basis (at minimum). The tests include but are not limited to web application, internal, and external network tests.
5.16. Business Continuity and Backup.The infrastructure is hosted and managed primarily on third party cloud infrastructure across multiple availability zones to support fault tolerance, high availability, and disaster recovery. Navan performs a business continuity and disaster recovery test on an annual basis (at minimum). Navan is responsible for maintaining a standard backup process, designed for an orderly and timely recovery of Customer Data in the event that the Services may be interrupted. Navan shall maintain a backup that can be recovered immediately at any point in time. Navan will maintain an RTO of 8 hours and an RPO of 4 hours.
5.17. Restricted Countries. Navan will prohibit access to Customer Data and systems by Navan Personnel that currently resides in (a) the People's Republic of China (including provinces of Hong Kong and the special administrative region of Macau), (b) Russia, (c) Ukraine, (d) North Korea, and (e) Iran unless such access is strictly necessary for the provision of the contracted services, and only then upon receiving specific written approval from Customer.
6. Data Access Requests. Navan will not provide any Customer Data obtained or collected to any third party unless legally required or to the extent required to provide services. Navan will notify Customers of any data access requests within five (5) business days unless such notification is legally prohibited. Customer acknowledges that it is responsible for deleting, rectifying, blocking, or updating Customer Data in response to an access request from Customer’s Users, as applicable.
7. Security Incident. In the event of a Security Incident, Navan will promptly notify Customer, and in no event later than forty-eight (48) hours, from the time that Navan becomes aware of the Security Incident resulting in unauthorized access, deletion, or modification of Customer Data, and Navan shall immediately take reasonable steps to contain, investigate, mitigate, and remediate any Security Incident as outlined in a maintained and written incident response plan aligned to industry standard practices. Navan will cooperate with Customer’s reasonable requests for information regarding the Security Incident. Navan’s communications with Customer in connection with a Security Incident shall not be construed as an acknowledgement by Navan of any fault or liability with respect to the Security Incident. To facilitate timely communications, Customer shall maintain current and accurate user admin contact information within the platform. In the event Customer fails to do so, Customer acknowledges and agrees that Navan may, in its reasonable discretion, utilize any other method of notification it deems appropriate. Navan’s obligations in this Section 8 do not apply to incidents resulting in an act or omission of Customer, including, without limitation, a Customer’s failure to maintain security and confidentiality of User credentials. Customer agrees to promptly report any Security Incident that might put Customer Data or the Navan Platform at risk by reporting to security@navan.com. Furthermore, Customer agrees to report any incident of potential fraud to fraud@navan.com.
8. Data Retention. Navan will only retain Customer Data for as long as Customer remains a customer of Navan. Within 45 days from termination of the Agreement and instructed by the Customer in writing, Navan will delete Customer Data in accordance with the request made.
9. Right to Audit. Navan has obtained third-party certifications and audits demonstrating its compliance with the security controls outlined in this Addendum. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Navan shall make available to Customer, or Customer’s independent and mutually agreed upon, third-party auditor that is not a competitor of Navan, a copy of Navan’ then most recent third-party audits or certifications, as applicable. If the Customer reasonably demonstrates that the provided security information (e.g., SOC Reports, ISO 27001, PCI-DSS Certificate, InfoSec Policies, etc.) is insufficient to demonstrate compliance with the Security Addendum, and subject to the provisions below, the Customer may, at their own expense and for additional fees, conduct an audit of Navan’s compliance with the security controls outlined in this Security Addendum with at least 30 days’ notice unless such request arises from a Security Incident, of which reasonable notice must be given. This audit may also be performed by a third-party auditor selected by the Customer, subject to Navan’s reasonable approval ("Security Audit").
Upon receiving an Audit request from the Customer, Navan and the Customer shall mutually agree in advance on the Audit details, including the start date, scope, and duration. Both parties shall also agree to reasonable conditions to mitigate potential risks to confidentiality, security, or disruptions to Navan’s services or business. All Audits and any information arising therefrom will be deemed Navan’s Confidential Information. The Customer must promptly notify Navan of any material noncompliance discovered during the Audit.
Audits may only occur during Navan’s normal business hours and no more than once in any twelve (12) month period unless such request arises from a Security Incident. Audits are subject to Navan’s reasonable security and confidentiality requirements and may only proceed to the extent that they do not violate Applicable Data Protection Laws.
Any non-conformity or security deficiency identified in a Security Audit shall be subject to a cure period of one-hundred eighty (180) days, during which Navan shall employ commercially reasonable efforts to remediate such deficiency.