Navan Information Security Requirements Addendum
THIRD PARTY SECURITY REQUIREMENTS
1. Scope
Vendor will comply in all respects with its information security obligations set forth in this Information Security Requirements Addendum. The Security Policy applies to Vendor’s performance under the Agreement and all Processing of, and Security Incidents involving Navan Information. This Security Policy does not limit other obligations of Vendor, including under the Agreement or laws that apply to Vendor, Vendor’s performance under the Agreement, or the Permitted Purpose (defined in Section 3 herein). To the extent this Security Policy conflicts with the Agreement, Vendor will promptly notify Navan of the conflict and will comply with the requirement that is more restrictive and protective of Navan Information. The Vendor obligations set forth herein apply to Vendor, Vendor affiliates and subcontractors, and its and their Personnel.
2. Definitions
The following definitions apply to this Security Policy
2.1 “Aggregate” means to combine or store Navan Information with any data or information of Vendor or any third party.
2.2 “Navan Information” means: (a) all Navan Confidential Information (as defined in the Agreement or in the non-disclosure agreement between the parties); (b) all other data, records, files, content or information received from Navan or its affiliates and Processed by Vendor in connection with the Agreement including, but not limited to, personal information; and (c) data derived from (a) or (b), even if Anonymized.
2.3 “Confidentiality, Integrity, and Availability” refers to the three properties of the information-security model known as the “CIA Triad.” Confidentiality is the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity is the property that data or information have not been altered or destroyed in an unauthorized manner. Availability is the property that data or information is accessible and useable upon demand by an authorized person.
2.4 “Personnel” means Vendor’s, its Subcontractor’s, and its and their employees, agents, subcontractors, and other authorized users of its or their systems and network resources.
2.5 “Physical, Organisational, Personnel , and Technical Safeguards” refers to the controls an organization implements to maintain information security. Physical safeguards address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Organisational and Personnel safeguards address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information. Technical safeguards address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it.
2.6 “Process” means to perform any operation or set of operations on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction. The term “Process” also includes “Processing,” “Processor,” and “Processed”.
2.7 “Biometric Identifier” means i) a scan of facial geometry that records or extracts facial measurements or facial landmarks; ii) a retina or iris scan; iii) a fingerprint; or iv) a voiceprint.
3. Permitted Purposes
Vendor will Process Navan Information only as follows (each, a “Permitted Purpose”):
3.1 Authorized data. Vendor may Process only the Navan Information expressly authorized under the Agreement. If there is no express authorization, the Vendor may process only the Navan Information necessary to perform the services under the Agreement.
3.2 Only for purposes expressly authorized. Vendor may Process Navan Information only for purposes expressly authorized under the Agreement.
3.3 Sale or other transfer prohibited. Vendor will not transfer, rent, barter, trade, sell, rent, loan, lease, or otherwise distribute or make any Navan Information available to any third party.
3.4 Data aggregation prohibited. Vendor will not Aggregate Navan Information, even if anonymized or pseudonymized, except as expressly authorized under the Agreement
4. Information Security Requirements
4.1 General security requirement. Vendor will maintain Physical, Administrative, and Technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or other similar industry standards for information security) to protect the Confidentiality, Integrity, and Availability of Navan Information.
4.2 Specific safeguard requirements. In addition to following the above standards, Vendor’s information security program will include, at a minimum, the following safeguards and controls:
4.2.1 Written information security program. Vendor shall maintain and implement a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program will apply to Vendor’s employees, agents, subcontractors, and Vendors. Vendor will maintain a process to monitor and enforce program compliance and log program violations.
4.2.2 Security awareness training. Vendor will provide periodic and no less than annually, security training to its Personnel on relevant threats and business requirements [such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting].
4.2.3 Data inventory. Vendor will document and maintain information regarding how and where Navan Information is Processed while in Vendor’s possession or control.
4.2.4 Secure configurations. Vendor shall manage security configurations of its systems using industry best practices to protect Navan Information from exploitation through vulnerable services and settings.
4.2.5 Controlled use of administrative privileges. Vendor shall limit and control the use of administrative privileges on computers, networks, and applications consistent with industry best practices.
4.2.6 Vulnerability and patch management. Vendor will maintain a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of Navan Information. Vendor must mitigate all discovered Critical (CVSS 9.0 - 10.0) vulnerabilities with immediate urgency and no later than 7 days, mitigate High (CVSS 7.0 - 8.9) risk vulnerabilities within 14 days, mitigate Moderate (CVSS 4.0 - 6.9) vulnerability risks in 90 days, and mitigate Low (CVSS 0.1 - 3.9) vulnerability risks in 180 days. CVSS ratings are defined here https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
4.2.7 Maintenance, monitoring, and analysis of audit logs. Vendor will collect, manage, retain, and analyze audit logs of events to help detect, investigate, and recover from unauthorized activity that may affect Navan Information. Logs will be kept and maintained for at least 18 months. If Vendor is providing Infrastructure as a Service (IaaS), Platform as a Service (Paas), or Software as a Service (SaaS), Vendor must audit all user management activities in section and provide a tamper-protected audit trail of such activities as an encrypted continuous export stream or file that will be available to Navan information security in a SIEM-compatible format, and can clearly demonstrate the user performing the action, the action taken, success or failure, date and time. Further, in a multi-tenant environment with a shared responsibility model (e.g. a SaaS), Vendor shall associate all logs with a unique Navan implementation id, and provide this information to Navan upon request. Vendor will implement reasonable controls to control access to and prevent modification of security audit logs.
4.2.8 Availability Monitoring. If Vendor is providing Infrastructure as a Service (IaaS), Platform as a Service (Paas), or Software as a Service (SaaS), Vendor will implement the following availability monitoring Only applicable to IaaS, PaaS, SaaS vendors:
(a) Service Level Agreements. Vendor must have documented service level agreements and their definitions for all services and APIs consumed by Navan, and should make such definition either publicly available or share such definition with Navan upon request. When Vendor makes changes to service level agreements, such changes must be notified to Navan at least 30 days before the change is made, and changes cannot degrade existing committed service level agreements.
(b) Status Page. Vendor must maintain a status page that indicates whether services are functioning as expected and continuously updates status page in a timely fashion when a service disruption occurs with current status and action taken to remediate. Vendor must provide a way to register for status page updates either through RSS or email notifications.
(c) Documented API. Vendor must expose availability metrics for their services through a documented API. These metrics should include uptime, downtime, Latency or response times, and error rates.
4.2.9 Malware defenses. Vendor will deploy endpoint detection and response and anti-malware software to control, detect and remediate the installation, spread, and execution of malicious code on all assets.
4.2.10 Firewalls. Vendor will maintain and configure firewalls to protect systems containing Navan Information from unauthorized access. Vendor will review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
4.2.11 Dedicated IP Addresses. Vendor will provide and document dedicated IP addresses for services that interact with Navan Information or Navan's network. These dedicated IP addresses will be used exclusively for Navan's traffic and will be documented and shared with Navan. This documentation must include the purpose of each IP address, the services associated with it, and any relevant network configuration details.
4.2.12 Suitable Environment. Data will be used in an environment suitable to its purpose. Production data will not be used on test equipment and test data will not be used on production equipment.
4.2.13 Change Management. Changes to production systems are tracked, recorded, appropriately authorised and reviewed per vendor’s change management policy.
4.2.14 Authorised Services. Authorized services must be documented with a business justification and be appropriately approved. All unnecessary services, protocols, and ports are disabled or deleted.
4.2.15 Encryption. Vendor will encrypt all Navan Information at rest and when in transit in accordance with industry best practices. Vendor will prohibit the use of known weak ciphers (reference https://www.cisa.gov/news-events/alerts/2021/01/05/nsa-releases-guidance-eliminating-obsolete-tls-protocol). For encryption at rest, AES128, or greater, shall be used. For encryption at transit, TLS 1.2 or higher shall be used. Vendor must transition to TLS 1.3 or its successor, as soon as possible and no later than December 2, 2029 to support the shift to Post-Quantum Cryptography (PQC). By December 2, 2034, all systems must transition to PQC as legacy algorithms will be disallowed. Upon Navan's written request, the Vendor will confirm that all copies of encryption keys have been securely deleted.
4.2.16 Access controls. Vendor will implement the following access controls with respect to Navan Information:
(a) Unique IDs. Vendor will assign individual, unique IDs to all Personnel with access to Navan Information, including accounts with administrative access. Accounts with access to Navan Information must not be shared.
(b) Need-to-know. Vendor will restrict access to Navan Information to only those Personnel with a “need-to-know” for a Permitted Purpose.
(c) Access termination. Vendor will terminate accounts within 24 hours of personnel separation from the Vendor.
(d) User access review. Vendor will periodically review Personnel and services with access to Navan Information and remove accounts that no longer require access. [This review must be performed at least once every 90 days.]
4.2.17 “In bulk” access. Except where expressly authorized by Navan in writing, Vendor will not access, and will not permit access to, Navan Information “in bulk” whether the Navan Information is in a Navan or Vendor-controlled database or stored in any other method, including storage in file-based archives (e.g., flat files).
(a) Definition of “in bulk” access. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation, or any other mass transfer of data.
(b) “In bulk” safeguards. Vendor will implement appropriate Physical, Organisational, Personnel, and TechnologicalSafeguards—including access controls, logging of all “in bulk” access, and monitoring to prevent and detect “in bulk” access to Navan Information or, where authorized by Navan, to (1) limit such access only to specified employees with a “need-to-know”, and (2) require explicit authorization and logging of all “in bulk” access.
(c) “In bulk” log access. Upon Navan’s request, Vendor will provide to Navan all logs on “in bulk” access referenced in this section.
4.2.18 Account and password management. Vendor will implement account and password management policies to protect Navan Information, including, but not limited to:
(a) No default passwords. Before deploying any new hardware, software, or other asset, Vendor will change all default and manufacturer-supplied passwords to a password consistent with the password strength requirements in subsection (c).
(b) Inventory of administrative accounts. Vendor will maintain an inventory of all administrator accounts with access to Navan Information and will provide a list of these accounts to Navan at Navan’s request.
(c) Password strength. Vendor will ensure that all Personnel use strong passwords by enforcing the following minimum requirements. Navan encourages vendor to deploy FIDO2 security mechanisms for authentication and move to passwordless. If FIDO2 is deployed, the following password requirements do not apply.
passwords must be a minimum length of 8 characters;
passwords must be unique and not be reused on any other system;
passwords may not match commonly used, expected, or compromised passwords; and
Vendor must force a password change if there is evidence the password may have been compromised.
(d) Credential encryption. Encrypted passwords and other secrets shall be stored in an industry-accepted form that is resistant to offline attacks.
(e) Rate limiting. Vendor shall implement an industry-accepted rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on a user’s account.
4.2.18.1 Single sign-on (SSO) and user management. If Vendor provides software for Navan’s use, either as a service or as a packaged software, the software must at a minimum provide the following controls:
(a) Single sign-on - The software must support integration with a SAML and / or OAUTH Single sign-on identity provider such as OKTA, Azure active directory.
(b)The software must support enforcement of Navan selected single sign-on identity provider as the only possible authentication mechanism.
(c) The software must support either SCIM for automated user lifecycle management or an API to manage user, entitlement and role management within the software, including provisioning, deprovisioning, role and entitlement query, assignment and removal. Vendor shall implement SCIM or APIs that integrate with a centralized Identity Governance (IG) solution (e.g. Okta) to automate the assignment of users and groups to roles within the application.
(d) If Vendor requires a service account to integrate, the Vendor needs to provide the functionality to rotate credentials via automated means.
4.2.19 Multi-factor authentication (MFA). Vendor will implement phishing-resistant multi-factor authentication (i.e., requiring at least two factors to authenticate a user and ideally use FIDO2.X as one of the factors) for access to (i) any network, system, application, or other asset containing Navan Information; or (ii) Vendor’s corporate or development networks.
4.2.20 Data segregation. Except where expressly authorized by Navan in writing, Vendor will logically or physically isolate Navan Information at all times from Vendor’s and any third-party information.
4.2.21 Security testing. Vendor will conduct internal and external penetration testing of systems that process Navan Information at least annually to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of Vendor’s vulnerability management program. Vendor will make available to Navan, upon request the results of such penetration tests and vulnerability remediation actions. Upon Navan request, Vendor will make available any internet-facing systems that store or process Navan information to a penetration test by Navan or its representative.
4.2.22 Personnel security and nondisclosure. All Vendor Personnel with access to Navan information must sign an individual NDA with Vendor and successfully complete a background check by Vendor. In addition, Navan may require its own Non-Disclosure Agreement (NDA) to be signed by Vendor and/or individual Vendor Personnel. At a minimum:
4.2.23 Restricted Individuals and Entities (“Covered Persons”). Vendor will prohibit access to Navan information and systems by Vendor Personnel, Subcontractors, or any other third party that are: (I) listed on the Specially Designated Nationals and Blocked Persons List of the U.S. Department of Treasury (SDN List) or any other U.S. government restricted party list; (II) currently residing in a country subject to sanctions by the Office of Foreign Assets Control (OFAC); or (III) an entity 50% or more owned, directly or indirectly, by a person, entity, or government from a “Country of Concern” as defined in Section 4.2.24; or (IV) an employee or contractor of an entity or government of a “Country of Concern as defined in Section 4.2.24, regardless of where the individual resides, without Navan’s explicit prior written consent.
4.2.24 Restricted Countries of Concern. Vendor will prohibit access to Navan information and systems by Vendor Personnel that currently resides in or accesses such information or systems from: (a) the People's Republic of China (including provinces of Hong Kong and the special administrative region of Macau), (b) Russia, (c) Ukraine, (d) North Korea, (e) Iran, (f) Cuba, and (g) Venezuela unless otherwise specifically approved in writing by Navan. This restriction applies regardless of the Personnel’s nationality. Vendor must ensure that no vendor, subcontractor, or investor involved in performing services under the Agreement is located in, or majority-owned by an entity from, these locations without Navan’s explicit prior written consent.
4.3 PCI DSS requirements. If, in the course of its engagement by Navan, Vendor has access to or will Process credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements (in addition to the minimum requirements in Section 4.2), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.
4.4 Subcontracts. Except as expressly set forth in the Agreement, Vendor will not subcontract or delegate any of its obligations under this Security Policy to any subcontractors, affiliates, or delegates (“Subcontractors”) without Navan’s prior written consent. Vendor will ensure that all requirements in this agreement are followed by any subcontractor, subprocessor or affiliate.
4.5 Access to Navan Extranet and Vendor portals. Navan may grant Vendor Personnel access to Navan Information via web portals or other non-public websites or extranet services on Navan’s or a third party’s website or system (each, an “Extranet”) for the Permitted Purposes. If Navan permits Vendor to access any Navan Information using an Extranet, Vendor must comply with the following requirements:
4.5.1 Permitted Purpose. Vendor and its Personnel will access Navan information or systems and access, collect, use, view, retrieve, download or store Navan Information solely for the Permitted Purpose.
4.5.2 Accounts. Vendor will ensure that Vendor Personnel use only the Extranet account(s) designated for each individual by Navan and will require Vendor Personnel to keep their access credentials confidential. Accounts are not to be shared and must use secure multi-factor authentication (MFA).
4.5.3 Systems. Vendor will access Navan information or systems only through either systems provided by Navan or in cases explicitly approved by Navan, computing or processing systems or applications running operating systems managed by Vendor and that include: (i) system network firewalls in accordance with Section 4.10.9 (firewalls); (ii) centralized patch management in compliance with Section 4.2.6 (vulnerability and patch management); (iii) operating system appropriate endpoint detection and response and anti-malware software in accordance with Section 4.2.9 (malware defenses); and (iv) for mobile and portable devices, full disk encryption and mobile device management (MDM) that ensures the device is running a version of the mobile operating system with no known vulnerabilities.
4.5.4 Restrictions. Except if approved in advance in writing by Navan, Vendor will not download, mirror or permanently store any Navan Information from any Extranet on any medium, including any machines, devices or servers.
4.5.5 Account Termination. Vendor will terminate the account of each Vendor Personnel and notify Navan no later than 24 hours after any specific Vendor Personnel who has been authorized to access any Extranet (a) no longer needs access to Navan Information or (b) no longer qualifies as Vendor Personnel (e.g., the personnel leaves Vendor’s employment).
4.6 Navan Sub-Domains or URL’s. Any sub-domain or URL that the Vendor provisions for Navan’s sole use during the contracted period must not be issued or re-used by a non-Navan customer for 5 years after Navan terminates use of the service.
5. Data Retention, Return, and Destruction
5.1 Retention. Vendor will retain Navan Information for a duration of time that is only as necessary for the Permitted Purposes.
5.2 Return and secure deletion of Navan Information. At any time during the term of the Agreement at Navan’s request, or upon the termination or expiration of the Agreement for any reason, Vendor shall, within 5 business days (or 30 calendar days for data in backup or online storage), return to Navan and securely delete all copies of Navan Information in its possession or control. Vendor shall confirm in writing that all copies of Navan Information have been returned and securely deleted.
5.3 Archival copies. If Vendor is required by law to retain archival copies of Navan Information for tax or similar regulatory purposes, Vendor shall (i) not use the archived information for any other purpose; and (ii) remain bound by its obligations under this agreement, including, but not limited to, its obligations to protect the information using appropriate safeguards and to notify Navan of any Security Incident involving the information.
5.4 Deletion standard. All Navan Information deleted by Vendor will be securely deleted using an industry-accepted practice designed to prevent data from being recovered using standard disk and file recovery utilities (e.g., secure overwriting, degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, shredding, or mechanical disintegration). With respect to Navan Information encrypted in compliance with this Security Policy, Vendor may delete data by permanently and securely deleting all copies of the encryption keys. For physical documents containing Navan Information, disposal must be conducted using industry-accepted practice (e.g., cross-cut shredding, pulping, or incineration by certified secure destruction vendors).
5.5 Media destruction. Before permanently discarding or disposing of storage media that (1) Vendor has physical access to or control of (e.g., laptop hard drives, desktop hard drives, USB or “thumb” drives, backup media, hard drives used in the Vendor’s own data center, or other portable storage media) and (2) contains, or has at any time contained, Navan Confidential Information, Vendor will destroy the storage media using a technique designed to render the media unusable and the data unrecoverable (e.g., disintegration, incineration, pulverizing, shredding, and melting). This section shall not apply to storage media that Vendor does not have physical access to or control of, such as storage media used in a public cloud or other third-party environment. In such cases, Vendor shall ensure that all Navan Confidential Information stored in the third-party environment is securely deleted when no longer needed using an industry-accepted practice (see Section 5.4, Deletion standard).
6. Security Reviews and Audits
6.1 Vendor assessment questionnaires. Upon Navan’s request, Vendor will complete a new Navan risk assessment questionnaire.
6.2 Compliance with agreement. Upon Navan’s request, Vendor will confirm in writing to Navan Vendor’s compliance with this Agreement.
6.3 Other reviews; audits. Upon Navan’s written request, to confirm Vendor’s compliance with this Agreement, Vendor grants Navan or, at Navan’s election, a third party on Navan’s behalf, permission to perform an assessment, audit, examination, or review of the Physical, Organisational, Personnel, and TechnologicalSafeguards in place to protect Navan Information Processed by Vendor under the Agreement. Vendor shall fully cooperate with the assessment. Such requests by Navan are limited to no more than once annually.
6.4 Remediation. Vendor will promptly address any exceptions or deficiencies identified during Navan’s security review or in any audit report, by developing and implementing a corrective action plan agreed to by Vendor and Navan, at Vendor’s sole expense.
6.5 Cloud and Web application. If Vendor services under the agreement include a web application, cloud service or API, Vendor will (I) maintain an annual SSAE 18 SOC 2 type 2 report and will make such report available to Navan upon request; (II) enter into a mutually agreed upon data processing agreement and maintain a privacy policy that complies with applicable law; (III) maintain a denial of service recovery plan to ensure continuous availability of the service and (IV) enable Navan or third party on Navan behalf to perform penetration testing of vendor internet facing services upon written notification from Navan and no more than once annually; and (V) maintain a disaster recovery and resiliency plan that ensures recovery of Navan data as soon as possible and no later than 72 hours.
7. Security Incidents
7.1 Security Incident defined. A “Security Incident” is (i) any actual or suspected compromise of the Confidentiality, Integrity, or Availability of Navan Information; (ii) any actual or suspected compromise of, or unauthorized access to, any system that Processes Navan Information that presents a risk to the Confidentiality, Availability, or Integrity of Navan Information; or (iii) receipt of a complaint, report, or other information regarding the potential compromise or exposure of Navan Information Processed by Vendor.
7.2 Incident response plan. Vendor shall maintain a written incident response plan and provide a copy of the plan to Navan upon request. Vendor will remedy each Security Incident in a timely manner following its response plan and industry best practices.
7.3 Notice required. Vendor will notify Navan of any Security Incident within 48 hours of becoming aware of the Security Incident by emailing security@Navan.com and providing incident detail, impact and a dedicated point of contact within Vendor that will engage with the Navan security team until the incident is remediated and information requested by Navan security is made available.
7.4 Cooperation with Navan’s investigation. Vendor will reasonably cooperate with Navan in Navan’s handling of a Security Incident, including, without limitation: (i) coordinating with Navan on Vendor’s response plan; (ii) assisting with Navan’s investigation of the Security Incident; (iii) facilitating interviews with Vendor Personnel and others involved in the Security Incident or response; and (iv) making available all relevant records, logs, files, data reporting, forensic reports, investigation reports, and other materials required for Navan to comply with applicable laws, regulations, or industry standards, or as otherwise required by Navan.
7.5 Third-party notifications. Vendor agrees that it shall not notify any third party (including any regulatory authority or customer) of any Security Incident that explicitly mentions Navan or its customers without first obtaining Navan’s prior written consent. Further, Vendor agrees that Navan shall have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, or others; and (ii) the form and contents of such notice.
8. Notice of Legal Process
Vendor will, unless prohibited by law, inform Navan within 48 hours when Navan’s data is being sought in response to legal process or other applicable law (e.g., 18 U.S.C. § 2705(b)).
9. Insurance
During the term of the Agreement, Vendor shall secure and maintain a policy of: (a) Commercial General Liability insurance with limits no less than $1,000,000 per occurrence and $2,000,000 in the aggregate, and (b) Professional Liability Insurance covering the effects of errors and omissions (including, without limitation, trademark and copyright infringement, cyber-liability, technology professional liability and e-commerce liability), applicable to its acts and omissions including, without limitation, the negligence or willful misconduct of Vendor, its employees, agents, representatives and/or contractors, with respect to Vendor’s obligations described herein with a policy limit no less than $10,000,000 per claim to be maintained for the duration of the Agreement. Vendor shall provide 30 days' prior written notice of cancellation or material modification of a policy here required only in the event such policy is not replaced with one that meets the requirements of this Section or if there is a lapse in coverage.
10. Artificial Intelligence; Machine Learning
10.1 AI Training. Vendor shall not use Navan Information to train any artificial intelligence or machine learning engine or system, neural network, or similar system except as expressly permitted by Navan in writing. Such written consent may be withheld by Navan in its sole discretion.
10.2 AI Feature Opt-In. If Vendor’s Services contain any artificial intelligence features or functionality (“AI Feature”), the Services must permit Navan admin users to disable such AI Feature for all Navan users of the Vendor’s Services. Any new AI Feature made available to Navan must require specific opt-in by an admin user (designated by Navan) before use.
10.3 AI Feature Change Logging. Vendor agrees that any AI Feature changes (including enabling or disabling of an AI Feature) must be included as an “event” in Vendor’s audit logs as required by Section 4.2.7 of this Security Policy.
10.4 AI Policy. Vendor must maintain an AI policy compliant with applicable legislation within the jurisdictions in which it operates. A copy of Vendor AI policy will be made available for review by Navan on request.
10.5 AI Training and Awareness. Vendor must train their employees on their AI and Machine Learning policy.
10.6 AI Indemnification Vendor shall indemnify, defend and hold Navan harmless from and against all intellectual property or loyalties lawsuits, claims, liabilities, damages, settlements, or judgments, including Navan’s costs and attorney fees, which arise as a result of any output generated by vendor AI or machine learning functionality.
11. Biometrics
Except as expressly permitted by Navan in writing, Vendor shall not Process Navan Information in a way that results in the extraction, identification or retention of any Biometric Identifiers, and shall not cause Navan to Process Biometric Identifiers as a result of Vendor’s Processing.
12. Tracking Technologies
Vendor shall not place any cookies, pixels, beacons, or other similar tracking technologies on Navan owned or operated websites without the express prior written consent of Navan Legal.
13. Indemnification
Vendor shall indemnify, defend and hold Navan harmless from and against all lawsuits, claims, liabilities, damages, settlements, or judgments, including Navan’s costs and attorney fees, which arise as a result of Vendor's negligent acts or omissions or willful misconduct or failing to meet the information security requirements outlined in this Security Policy.
14. Enforcement
Any violation of the security requirements set forth in this Security Policy shall constitute a material breach of the Agreement. Upon discovery of any such violation, Vendor shall have thirty (30) days from written notice to cure such breach to Navan’'s reasonable satisfaction ("Cure Period"). If Vendor fails to cure the breach within the Cure Period, Navan may immediately terminate the Agreement. In addition to any other remedies available to Navan under the Agreement or applicable law, Vendor shall reimburse Navan for all reasonable costs, expenses, and damages incurred by Navan as a direct result of such breach, including but not limited to costs associated with investigation, remediation, notification, legal fees, regulatory fines, and penalties.