Navattic Security Overview

Published May 11, 2021 | Updated July 12, 2022

Introduction

At Navattic, security is paramount. Interactive demos built on Navattic are often integrated into essential parts of the go-to-market motion: embedded on high-traffic landing pages, shared in marketing campaigns or used by front-line sellers to deliver demos over Zoom. In line with this, we have always prided ourselves on having robust security safeguards and being extremely responsive to our customers’ special security requirements.

Navattic is SOC 2 Type II certified. Our examination was performed by the Johanson Group. For each of the security criteria mapped to Navattic’s controls over the course of the audit, no exceptions in the controls were noted. SOC 2 Type II is an important industry standard, verifying that Navattic current and future customers can be confident about their data security and integrity. Our report is available on request, under NDA.

Product Security

Authentication

Navattic only allows authentication from Google Workspace (formerly GSuite) and verified corporate emails. Navattic does not store any passwords.

Permissions

Navattic supports flexible permission levels for teammates. Permission levels can be set globally within the Navattic settings tab.

Servers & Networking

All Navattic servers and structured datastores use managed infrastructure services provided and secured by PlanetScale.

Our web servers encrypt data in transit using the industry standard for HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Storage

All persistent data is encrypted at rest using industry standard AES-256 algorithms.

Operational Security

Policies

Navattic has developed a comprehensive set of security policies covering a range of security-related topics. These policies are updated frequently and shared with all employees.

Employee Training

All Navattic employees are trained on security best practices and awareness during onboarding. We perform annual disaster recovery and data restoration tests.

Employee Equipment

All employee computers have strong passwords, encrypted disks, and monitoring agents. No Windows computers or servers are used in development other than in isolated testing environments.

Employee Access

We use Google account infrastructure to verify employee account identity and require two-factor authentication for apps that access critical infrastructure or customer data.

Access to administrative interfaces additionally enforce administrator permissions where applicable, and all administrative access is logged and auditable both in the form of traditional web server logs and session recordings to make it easy to find and review any administrative activities with full fidelity.

All employee contracts include a confidentiality agreement.

Code Reviews and Production Deployment

All changes to source code are subject to automated testing and any that affect security require pre-commit code review by a qualified engineering manager that includes security, performance, and potential-for-abuse analysis.

All code is deployed to a staging environment for quality assurance and automated tests must pass prior to updating production services.

Backups and Recovery

Navattic uses highly redundant datastores, rapid recovery infrastructure, and point-in-time backups making unintentional loss of customer data very unlikely.

Pentests

We engage third-party security experts to perform detailed penetration tests on the Navattic app and infrastructure.

Customer Payment Information

We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider.

Incident Reporting

Incident Response

Navattic implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Responsible Disclosure

Navattic has a Responsible Vulnerability Disclosure program. Please see the program detail page to learn more about the program, rules of engagement, and processes to submit vulnerability reports.

If you have a security concern, question, or are aware of an incident, please send an email to security@navattic.com.