Where does my data go?
Inputs encrypted in transit, processed by Mistral on Railway in the United States, then discarded after each response. No persistent record.
Do you train on my queries?
No. Per Mistral's data handling policies, customer data is never used to train Mistral's models. Mistral is the only third-party processor of customer query content.
What frameworks are you compliant with?
GDPR (EU), UK GDPR, CCPA (California), and PIPEDA (Canada). Reviewed annually alongside our Data Processing Agreement.
Can I see your subprocessor list?
Yes. Mistral is the sole third-party processor of customer query content. The full list is published at /legal/subprocessors and updated whenever it changes.
The numbers
Four facts about how we handle customer data, verified, current, and unchanged.
0
Customer records stored on NavJun servers
AES‑256
Encryption standard, data in transit and at rest
72h
Maximum breach notification window (GDPR-aligned)
4
Privacy frameworks covered: GDPR, UK GDPR, CCPA, PIPEDA
Last verified April 27, 2026 · Request our DPA at security@navjun.com
We didn't add privacy controls after the fact. We started from zero-knowledge and built the product around it.
Privacy by Design
Your queries and documents are processed in memory and discarded. NavJun does not log, store, or retain your inputs after the response is delivered. No persistent record exists for us to access. There is nothing to leak.
We Never Train on Your Data
Your regulatory questions, your product IP, your internal documents: none of it is used to improve our models or shared with any third party.
Encrypted in Transit & at Rest
All data in transit is protected with TLS 1.2+. Data at rest is encrypted with AES-256. Access is restricted to authorized personnel on a strict need-to-know basis.
SOC 2 Type II Ready
Our security controls are built to enterprise standards, with SSO/SAML support, audit trails, and incident response SLAs that hold up under regulator scrutiny.
Privacy by design
Your queries and documents are processed in memory and discarded after each response. No retention. No training. No exception.
Records stored
Logs kept
Used for training
How it works
You ask. Inputs encrypted in transit and at rest.
We process in memory. Mistral runs your query, returns a cited answer.
Inputs are discarded. No persistent record. Nothing to leak.
Frameworks covered
Encryption
AES‑256 at rest
In transit
TLS 1.2+
Audit
SOC 2 Type II
Wherever your team operates, NavJun meets you there. We’re designed to satisfy the most demanding data protection frameworks in the world.
GDPR (European Union)
NavJun acts as a Data Processor under Article 28 GDPR. We support DPIAs, maintain records of processing, and notify you within 72 hours of any breach. SCCs available for international transfers.
UK GDPR (United Kingdom)
Same processor obligations as EU GDPR, with UK-specific transfer mechanisms. We support the UK IDTA and UK Addendum to EU SCCs for any cross-border data flows.
CCPA (California)
NavJun operates as a certified Service Provider under the CCPA/CPRA. We never sell or share your Personal Information and only use data for the specific business purposes you’ve engaged us for.
PIPEDA (Canada)
NavJun applies all ten Fair Information Principles under PIPEDA. We collect only what’s necessary, process with your consent, and report breaches to you promptly so you can notify the OPC if required.
INFRASTRUCTURE
We document our infrastructure and our subprocessors openly. If something here matters to your security review, ask us. We'll back it up.
NavJun runs on Railway with infrastructure in the United States. We do not store customer queries, documents, or product data on our servers. Your inputs are processed in memory and discarded after each response.
NavJun uses Mistral as its language-model and OCR provider. Per Mistral’s data handling policies, customer data is not used to train Mistral’s models. Mistral is the only third-party processor of customer query content; the full subprocessor list is published at /legal/subprocessors.
Found a vulnerability or have a security question? Email us at security@navjun.com. We respond within two business days.
NavJun welcomes responsible disclosure of security vulnerabilities. Please email security@navjun.com with a description of the issue, steps to reproduce, and any supporting materials. Do not publicly disclose the vulnerability before we've had a reasonable opportunity to investigate and remediate. We acknowledge receipt within 2 business days, provide a status update within 5 business days, and credit researchers in our public release notes when a finding leads to a fix (with your permission).
See our complete subprocessor list, or talk to our team directly. We’re transparent by default.
