Security and ISO Certification

Safeguarding your data with rigorous security protocols and certified compliance.
Jump to
OverviewISO 27001:2022 complianceProtecting our customers' dataSecure SDLCOngoing processesFAQs

At CarbonChain, we understand the critical importance of trust and security in order to be your carbon accounting platform. That's why, from our very inception, we have made the development of a secure platform and product a priority.

When you partner with CarbonChain, you can be confident that your data is in safe hands. As a service provider and data processor, we take our role in safeguarding your sensitive information incredibly seriously. 

Our unwavering commitment to security is reflected in our robust data protection practices, our operational controls, adherence to industry standards, and the continuous enhancement of our security measures.
Steve McColl, Chief Technical Officer (CarbonChain)
quote

Trust, but verify

In 2024, CarbonChain was certified by Isoqar as ISO 27001:2022 compliant. This was an opportunity for us to show an external auditor our Information Security Management System (ISMS), how we approach and mitigate risk, and the operational controls that allow us to operate a secure company.

We were proud to complete this process with no findings; this means zero non-conformances to the ISO 27001 specification were identified and no opportunities for improvement were flagged. The certificate is valid until 31st July 2027; until then, CarbonChain will undertake a stringent process for ongoing review.

Protecting our customers' data

Protecting our customer data is critical to build a growing and sustainable business that enables companies to report on their Carbon emissions and work towards reducing them. We operate CarbonChain with the following processes:

  • All data is encrypted at rest and in-transit;
  • Customer data is logically separated to maintain confidentiality;
  • We abide by the principle of least privilege. Our product and cloud environment are configured to manage access to data via roles and, by default, assume no access unless specifically granted;
  • Access to our product is typically via SAML-based SSO (Security Assertion Markup Language-based single sign-on). This means we can leverage your Identity infrastructure to define access to your data and place some of the data controls in your hands;
  • The ability to audit our systems is important for us and our customers and therefore access is logged and retained.

Secure SDLC

An effective secure software development lifecycle (Secure SDLC) is a critical component in building resilient and trustworthy software solutions. By integrating security into every phase of the development process, from initial design to deployment and maintenance, CarbonChain proactively identifies and mitigates vulnerabilities before they become exploitable weaknesses.

A key component of this approach is leveraging frameworks like the OWASP Top 10, which provides a comprehensive list of the most critical security risks to web applications. By addressing these risks during development, organizations can significantly reduce the likelihood of successful attacks. 

Additionally, a robust Secure SDLC includes a commitment to regular patching of software versions. As new vulnerabilities are discovered, we rely on a variety of external signals to keep us informed so that we can rapidly patch and deploy our software ahead of industry standards.

Ongoing adaptation and quarterly processes

Ensuring that there is ongoing value to our Information Security Management Systems means regular review and development of our risk and operational controls. As a result, CarbonChain has committed to a series of actions every quarter to ensure that our systems and controls grow and adapt ahead of our company growth.

FAQs

Do you have SOC2 Type II certification?

We’re a UK-headquartered company and, outside of the USA, many of our customers expect a ISO 27001 certification rather than a SOC2 Type II certification.

The ISO 27001 standard itself – and its audit process – is more in-depth than SOC 2 and results in a more secure platform by default.

Most of the five SOC2 trust service criteria map directly into ISO 27001 and so these can be considered to be equivalent.

How is my data exchanged and delivered?

CarbonChain offers secure delivery options: direct to customer-specific storage locations using secure delivery mechanisms or via SendSafely, a secure data delivery system.

How and where is data stored and processed?

Your data is stored and processed in European data centers. We rely on the following sub-processors to provision infrastructure and host our services:

  • AWS
  • Google Cloud Platform
  • Neo4J
  • Sendsafely
  • Segment

How is my data processed, and who has access?

Your data is processed in cloud environments that we provision and manage to ensure that data is isolated, secure and access is limited and audited.

Who has access to your data?

  • Our Customer Engineers access your data during the onboarding process, to map it into our CarbonChain datamodel and to ensure you get insight and value from our platform. They will also have access to your data during updates / data refreshes.
  • Our Customer Success team has access to your data via the CarbonChain product, so that they can support you.
  • Our Support Engineers have access to your data if we have to diagnose a software or data issue.

At all times, access to data is restricted by our role-based access controls and audited.

How does product access work?

We work with you during onboarding to ensure that access to our product and the required visibility rules are defined for your teams and business. This access can be audited at any time.

We prefer integrating our customer’s Identity/SSO provider into our product so that internal events (for example, the departure of an employee) immediately result in access being revoked in our platform.

How does CarbonChain manage security for software releases?

At CarbonChain we release software multiple times per week to ensure that we are delivering new value to our customers as quickly as possible. Our secure SDLC ensures that our testing and deployment approach delivers secure, validated software to our customers without our team needing to manually deploy and configure our software.

In addition to releasing software multiple times per week, we also include recent security patches that we have reviewed and approved to the Open Source software we rely on.

What is your approach to disaster recovery and
business continuity?

On a periodic basis, as part of our ISMS, we assess business continuity risk and run scenarios with our management team. 

Additionally we identify disaster scenarios and run drills to ensure our Tech team is familiar with the processes to escalate, communicate to customers, triage and repair our product during a variety of disaster scenarios.

Do you have a bug bounty program?

CarbonChain does not offer a bug bounty program at this time. Any submissions are gratefully received at support[at]carbonchain[dot]com.

Download the factsheet

You may unsubscribe from these communications at any time.
By clicking submit below, you consent to allow CarbonChain to store and process the personal information submitted above and to provide you with the content requested. Please refer to our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
X