Skip to content

Customer Penetration

Testing Policy

Version 1 – Reviewed January 2026  

The purpose of this policy is to show Navvia supports responsible security testing by customers. This policy defines how penetration testing may be conducted against the Navvia platform while ensuring system stability, data protection, and fairness across all customers.

Guiding Principle

Customers are permitted to test Navvia with prior written authorization and within defined boundaries. Navvia operates a multi-tenant environment. Testing must not impact other customers, system availability, or data integrity.

Authorization Requirement

All penetration testing must be pre-approved in writing by Navvia.

To request authorization, customers must provide:

  • Testing company name and primary contact details
  • Scope of testing (URLs, APIs, tenant identifiers)
  • Testing methodology (e.g., OWASP Top 10)
  • Proposed testing window (dates and times)
  • Emergency contact information

Navvia will respond with:

  • Approval or required modifications
  • Final authorized scope
  • Assigned Navvia security contact

Testing without approval is prohibited.

Approved Scope

Testing is limited to the customer’s own tenant and explicitly approved endpoints and APIs.

The following are strictly prohibited:

  • Accessing or attempting to access other customer data
  • Cross-tenant testing or enumeration
  • Testing shared infrastructure beyond defined scope

Activities Permitted

The following activities are generally allowed within the approved scope:

  • Authentication and session testing
  • Authorization and access control validation
  • Input validation testing (e.g., XSS, injection)
  • API security testing within reasonable limits
  • Non-destructive business logic testing

Prohibited Activities

The following activities are not permitted under any circumstances:

  • Denial of Service (DoS) or load/stress testing
  • Automated scanning that degrades system performance
  • Social engineering, phishing, or physical security testing
  • Brute force attacks at scale
  • Data exfiltration beyond minimal proof-of-concept
  • Any activity that may impact other customers

Testing Controls

To ensure platform stability:

  • Testing must occur within the approved time window
  • Traffic volumes must remain within reasonable limits
  • Navvia may pause or terminate testing at any time
  • Customers must immediately stop testing if instructed

Monitoring and Coordination

Navvia will monitor all approved testing activities.

Customers must:

  • Coordinate testing start and end times
  • Maintain real-time contact availability
  • Immediately report any unintended impact

Vulnerability Reporting

All findings must be reported to Navvia promptly.

Reports should include:

  • Description of the issue
  • Steps to reproduce
  • Impact assessment
  • Non-destructive proof-of-concept

Customers must not:

  • Publicly disclose vulnerabilities
  • Access or retain data beyond what is necessary to demonstrate the issue

Data Protection

Testing must not:

  • Modify, delete, or corrupt production data
  • Access sensitive data beyond minimal validation
  • Interfere with normal business operations

Liability and Safe Harbour

Authorized testing conducted in accordance with this policy will be considered a permitted activity.

Activities outside this policy may:

  • Trigger security response procedures
  • Result in suspension of access
  • Be subject to legal action

Recommended Approach

Navvia recommends:

  • Conducting testing in a staging environment where possible
  • Coordinating closely with Navvia security
  • Focusing on application-layer vulnerabilities

Contact

Navvia Security Team

security@navvia.com

Summary

Navvia encourages security testing as part of a strong operational resilience posture.

Test freely but test responsibly within a controlled and approved framework.