Security

Security at Navon.

Operators trust us with how their business runs. That trust is the design constraint: security is embedded in the platform at every level.

Our commitment

Security built into every layer.

Operational data is the business. So the guarantees live in the architecture: isolated organizations, permissions enforced at the data layer, approvals with named owners, and honest lines about what runs where. Structural, then contractual.

Isolated at the data layer

Access rules are enforced by the database on every table, and cross-organization isolation is tested, never assumed.

Proposal-first AI

Assistant actions wait for a named owner's approval before anything executes.

Your data leaves with you

Record exports are built into the product, and export or deletion requests go straight to the team.

The controls

Governed by default.

The same controls that govern the platform govern every engagement. They are how the system is built.

Our infrastructure providers are independently audited to industry-standard security frameworks.

01

Tenant isolation

Every organization's records are isolated at the database layer, and that isolation is tested, never assumed.

02

Row-level security

Permission enforcement at the data layer, on every table, so the interface is never the only guard.

03

Encryption

Encrypted in transit and at rest, across every record.

04

Least privilege

Role checks run at the application layer and again at the database. Unknown roles fail closed to read-only.

05

Audit logging

Approvals, escalations, and record events land in an append-only trail with a named actor.

06

Your data stays yours

Never used to train models, never visible to another organization, never pooled across clients.

Where it runs

One posture, two surfaces.

The hosted application and the systems an engagement deploys follow the same rules. The difference is where they run, and we are precise about that line.

The application

The hosted platform, run and operated by Navon.

A managed cloud product. Isolation, permissions, and audit live in the database and the application layer, and the same enforcement applies to every organization on the platform.

Organization isolation on every tableRole checks that fail closedProposal-first assistant actionsAppend-only record eventsSoft-delete historySigned webhooks

The engagement

What an advisory engagement deploys in your environment.

Agents, automations, and the compute behind them can land in your cloud, your VPC, or fully local on your own hardware. Residency is scoped during the evaluation, before anything is built.

Your cloudYour VPCFully localLeast-privilege wiringScoped integrationsTraining and handover

The data lifecycle

From evaluation to departure.

What happens to your data at each stage of working with Navon.

01

Evaluation

Access, residency, and integration scope are mapped before anything is built. You see what the system will touch and why.

02

Deployment

Wiring follows least privilege. Each connection gets the narrowest access that does the job, and nothing more.

03

Operation

Isolation, role checks, and event trails do their work on every record, every day, for every organization.

04

Departure

Records export from the product directly, and account export or deletion requests go straight to the team.

Engagements run where your data has to stay.

When an engagement deploys agents, automations, or the compute behind them, that footprint can land in your cloud, your VPC, or fully local on your own hardware. Residency is scoped during the evaluation, so the architecture honors your requirements from day one.

How deployment works

Nothing acts without an owner.

Human review is the default. Assistant actions and managed agents propose to a named owner and wait; a team can turn on autonomous execution when it is ready. Either way, every decision lands in the record's event trail as it happens.

How agents are governed
Security FAQ

Common questions.

Straight answers about where things run and who can see what.

Where does the platform run?

Navon is a managed cloud platform that we run and operate. Our infrastructure providers are independently audited to industry-standard security frameworks.

Can Navon run inside our environment?

The hosted platform is operated by us. When an advisory engagement deploys agents, automations, or compute, that footprint can run in your cloud, your VPC, or fully local on your own hardware. Residency is scoped during the evaluation.

Who can see our data?

Only members of your organization, under the role you give them. Isolation is enforced by the database on every table, so records from one organization are never visible to another, and your data is never shared across clients.

What can the AI features do with our data?

Your data is never used to train models. AI features operate under the same permissions as the signed-in user and can only read what that user could already see. Actions are proposals first: by default nothing executes until a named owner approves it, and a team can choose to turn on autonomous execution. The same posture holds for managed agents in an advisory engagement: human review by default, opt-in autonomy, and every action in the record's event trail.

Can we take our data with us?

Yes. Record tables export to CSV directly from the product, and account-level export or deletion requests go straight to the team from your account settings.

Responsible disclosure

Found something we should know about?

Tell us directly. Security reports go to the team and get a reply within one business day.

Report a security concern

See how the architecture fits your requirements.

Residency, access, and oversight are scoped in the evaluation. Tell us your constraints and we will design to them.