TRUST & SAFETY

Security

Security is foundational to everything we build. Here's how we protect your data, your network, and your business.

Data Encryption

All data transmitted between your browser and our platform is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Sensitive credentials and API keys are stored using industry-standard key management practices.

Access Controls

Role-based access control (RBAC) ensures that platform users can only access data and functions appropriate to their role. Multi-factor authentication (MFA) is available and recommended for all platform accounts.

Infrastructure Security

The Navion platform is hosted on enterprise-grade cloud infrastructure with physical security controls, network segmentation, DDoS protection, and automated vulnerability scanning. We maintain a 99.9% uptime SLA for platform services.

Security Testing

We conduct regular security assessments including automated vulnerability scanning, penetration testing by qualified third parties, and code security reviews. Critical vulnerabilities are remediated within 24 hours of discovery.

Security Practices at a Glance

TLS 1.2+ Encryption in Transit
AES-256 Encryption at Rest
Multi-Factor Authentication (MFA)
Role-Based Access Control (RBAC)
Regular Penetration Testing
Automated Vulnerability Scanning
DDoS Protection
Network Segmentation
Audit Logging
Incident Response Plan
Employee Security Training
Vendor Security Assessment

Found a Security Issue?

Please report it responsibly to our security team.

[email protected]

Platform Security Architecture

The Navion platform is built on a defence-in-depth security architecture designed to protect client data, advertising transactions, and network operations at every layer.


Cloud Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure in Asia-Pacific data centres. Physical access to data centres is restricted and monitored. We use infrastructure-as-code practices to ensure consistent, auditable configuration management.


Network Security

Network traffic is segmented using virtual private clouds (VPCs) and security groups. All external-facing services are protected by web application firewalls (WAF) and DDoS mitigation services. Internal services communicate over private networks only.


Application Security

Our development practices include secure coding standards, mandatory code review, static application security testing (SAST), and dependency vulnerability scanning. We follow the OWASP Top 10 as a baseline for application security controls.


Data Security

Client data is logically isolated — no client can access another client's data. Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Database access is restricted to application services through least-privilege principles.

Network Operations Security

For managed retail media networks, Navion implements the following security measures:


Media Player Security

All media players deployed by Navion are configured with hardened operating system images, automatic security updates, and encrypted communications. Remote management is conducted over secure, authenticated channels.


Content Delivery Security

Content delivered to screens is validated before display. Our platform prevents unauthorised content from being served to managed screens through cryptographic signing and validation.


Physical Security

Installed hardware is secured to prevent tampering. We maintain an inventory of all deployed devices and conduct regular audits to verify device integrity.

Incident Response

Navion maintains a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review.


Detection and Notification

We monitor our systems 24/7 for security anomalies using automated alerting. In the event of a confirmed security incident affecting client data, we will notify affected clients within 72 hours of becoming aware of the incident, in accordance with applicable data protection law.


Severity Classification

  • Critical: Active exploitation, data breach, or service outage. Response within 1 hour.
  • High: Potential exploitation or significant vulnerability. Response within 4 hours.
  • Medium: Non-critical vulnerability or suspicious activity. Response within 24 hours.
  • Low: Minor issues or informational findings. Response within 7 days.

    • Post-Incident Review

    Following any significant incident, we conduct a root cause analysis and implement remediation measures to prevent recurrence.

    Compliance and Certifications

    Navion is committed to maintaining compliance with applicable security standards and regulations:


  • **Hong Kong Personal Data (Privacy) Ordinance (PDPO)**: We process personal data in accordance with the PDPO and maintain appropriate technical and organisational measures.
  • **OpenRTB and OpenOOH Standards**: Our programmatic infrastructure adheres to IAB Tech Lab's OpenRTB and OpenOOH specifications, which include provisions for brand safety and fraud prevention.
  • **Ad Fraud Prevention**: We implement industry-standard measures to detect and prevent invalid traffic (IVT), including integration with third-party verification providers.

    • We are working towards formal security certifications and will update this page as certifications are achieved.

    Responsible Disclosure

    Navion welcomes responsible disclosure of security vulnerabilities. If you believe you have discovered a security vulnerability in our platform or website, please report it to us at [email protected].


    Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any supporting evidence (screenshots, logs, etc.).

    • We commit to:

  • Acknowledging your report within 2 business days.
  • Investigating and responding to your report within 10 business days.
  • Not taking legal action against researchers who follow responsible disclosure practices.
  • Crediting researchers in our security acknowledgements (with permission).

    • Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it.

    Privacy Policy →Terms of Service →Cookie Policy →Contact Us →