NavaTron

Security Policy

NavaTron's public security approach and responsible disclosure process.

Version date: 27 March 2026

This Security Policy explains NavaTron’s public security approach for its website, cloud services, and related operations. It also explains how to report security vulnerabilities to us.

We have written this page in plain language. It is a public summary of our security approach, not a certification, warranty, or SLA. If a contract, order, DPA, or SLA contains more specific security commitments, that signed document prevails.

1. Who is responsible?

NavaTron is a Dutch B2B software company. Security is part of how we design, run, and support our products and services.

Public security and responsible disclosure matters are handled by:

NavaTron B.V.
Security Team
security@navatron.com

2. How do we approach security?

We organise security through internal responsibilities covering subjects such as:

  • ownership and accountability;
  • access management;
  • incident handling;
  • change management;
  • vendor and sub-processor review;
  • legal and compliance coordination where personal data is involved.

Security is part of our operational processes, product changes, and support activities. We review our approach regularly and adjust it when our services, infrastructure, or risk profile changes.

3. Hosting and infrastructure

Unless a customer agreement says otherwise, NavaTron uses Microsoft Azure in EU regions for its website and hosted products.

We design our managed environment to limit unnecessary exposure through measures such as controlled administrative access, managed infrastructure, logging, and operational monitoring appropriate to the service.

Some products may also be offered in a private-cloud or customer-hosted model. In those cases, the exact division of responsibilities is described in the relevant contract or implementation documents.

4. Which security measures do we use?

The exact measures depend on the service and deployment model, but they may include:

  • encryption in transit using TLS;
  • encryption at rest in NavaTron’s managed cloud environment where appropriate;
  • access controls based on business need and least privilege;
  • logging and monitoring of relevant system and security events;
  • backup and recovery procedures;
  • patching, vulnerability management, and security review processes;
  • confidentiality obligations for staff and contractors.

We do not publish detailed technical security configurations on this page.

5. Access control

We limit access to production systems and customer environments to authorised persons who need that access for their role.

In practice this means, where appropriate:

  • named accounts instead of shared credentials;
  • role-based permissions;
  • access review and removal when no longer needed;
  • stronger protections, including multi-factor authentication where supported, for administrative access.

6. Security testing and certifications

NavaTron carries out security review activities on a regular basis and addresses findings according to the relevant risk and severity.

NavaTron currently states that it conducts annual penetration testing of its production environment through qualified third-party assessors. Test results are confidential and are not published publicly, but we may share a summary or attestation with customers under appropriate confidentiality terms.

NavaTron does not currently claim ISO 27001, SOC 2, or a similar formal certification unless we state that separately in writing.

7. Security incidents and personal-data breaches

We detect, investigate, contain, and remediate security incidents in a structured way.

If a personal-data breach occurs:

  • when NavaTron acts as controller, we will assess whether notification is required to the Autoriteit Persoonsgegevens and, where applicable, to affected individuals under the GDPR;
  • when NavaTron acts as processor, we will notify the relevant customer controller without undue delay in line with the applicable contract and DPA;
  • we may also notify affected customers within the contractual or legal timeframe that applies to the incident.

More information about privacy-related handling is available in our Privacy Policy.

8. Vendors and sub-processors

We use third-party providers for parts of our operations, such as hosting, payments, invoicing, analytics, and business communications.

We select providers that are appropriate for the service and risk involved, and we put contractual data protection and confidentiality measures in place where required.

For privacy-related details, see our Privacy Policy and Sub-Processors page.

9. Shared responsibility

Security is shared between NavaTron and its customers.

NavaTron is responsible for the infrastructure and service layers that we operate ourselves.

Customers are responsible for, among other things:

  • managing their own users and internal permissions;
  • protecting end-user devices and local environments;
  • configuring the service in line with their legal and operational needs;
  • securing the systems and integrations they control;
  • giving lawful instructions where NavaTron acts as processor.

If a service is deployed outside NavaTron’s managed environment, the customer’s responsibilities are usually broader.

10. Responsible disclosure

If you believe you have found a security vulnerability in a NavaTron website, product, or API that we own or control, please report it responsibly to security@navatron.com.

If available, we may provide a PGP key for sensitive reports on request.

What should you include?

Please include where possible:

  • a clear description of the issue;
  • the affected system, URL, endpoint, or product;
  • steps to reproduce the issue;
  • screenshots, proof-of-concept material, or other supporting evidence;
  • the potential impact;
  • contact details for follow-up.

What can you expect from us?

For reports made in good faith and in line with this policy, NavaTron aims to:

  • acknowledge the report within 2 business days;
  • review and triage it as quickly as reasonably possible;
  • communicate with the reporter where appropriate during the investigation;
  • inform the reporter when the issue has been resolved or otherwise closed.

Safe harbour

NavaTron will not pursue legal action solely because of responsible security research that:

  • is carried out in good faith;
  • is limited to what is reasonably necessary to demonstrate the issue;
  • avoids privacy harm, service disruption, and data destruction;
  • complies with applicable law;
  • follows this policy.

This does not authorise:

  • accessing, copying, changing, or deleting data that does not belong to you;
  • social engineering, phishing, or physical intrusion;
  • denial-of-service or similar disruptive testing;
  • extortion, ransom demands, or threats;
  • persistence, lateral movement, or continued exploitation after the issue is confirmed;
  • public disclosure before NavaTron has had a reasonable opportunity to investigate and remediate the issue.

Scope

Unless we say otherwise in writing, this disclosure policy is intended for:

  • navatron.com;
  • NavaTron-hosted product environments for BuildCentral, NavaLogix, and SimCore;
  • NavaTron-operated APIs and customer portals.

The following are generally out of scope:

  • third-party systems not owned or controlled by NavaTron;
  • social engineering of NavaTron personnel;
  • physical security issues;
  • generic best-practice observations without a demonstrable vulnerability;
  • testing that would unreasonably degrade service availability.

Disclosure timing

We ask reporters not to disclose a vulnerability publicly until NavaTron has had a reasonable opportunity to investigate and remediate it. As a general target, we work toward resolution within 90 days of acknowledgement, but some issues may take longer.

11. Bug bounty

NavaTron does not currently operate a public paid bug bounty programme unless we state otherwise in writing.

12. Contact

For security questions, responsible disclosure reports, or compliance enquiries: