˽·¿¾ãÀÖ²¿

Security at ˽·¿¾ãÀÖ²¿

?

Last Updated: May 13, 2025

Overview

From inception, ˽·¿¾ãÀÖ²¿ recognized the need to have security architected throughout the ˽·¿¾ãÀÖ²¿ Climate Management & Account Platform (CMAP) and our supporting services. Our customers share data to calculate their carbon footprint and expect their data to be kept secure and confidential. ˽·¿¾ãÀÖ²¿ has invested heavily in our platform to enable enterprise-grade security features and processes. With this, ˽·¿¾ãÀÖ²¿'s security posture is guided and maintained by four (4) security principles as described further on this page:

1. Provision and Manage Users with the Principle of Least Privilege
2. Architect and Develop for Security and Privacy
3. Train and Educate on Security Repeatedly
4. Align and Comply with Industry Security Standards

For further information of ˽·¿¾ãÀÖ²¿'s security and privacy controls or to request copies of ˽·¿¾ãÀÖ²¿'s audit reports and certifications, please visit .

Shared Security Responsibility Model (SSRM)

As a Software as a Service (SaaS) application hosted in Amazon Web Services (AWS), we maintain a list of security responsibilities that are shared between AWS, ˽·¿¾ãÀÖ²¿, and ˽·¿¾ãÀÖ²¿¡¯s customers. At a summary level those responsibilities are:?

• AWS is responsible for the physical data centers, networking, perimeter security, hardware configurations, and availability of the Platform-as-a-Service (PaaS) services provided to ˽·¿¾ãÀÖ²¿ for use in the CMAP.?
• ˽·¿¾ãÀÖ²¿ is responsible for security configurations including but not limited to data encryption at rest and in transit, network and firewall restrictions, and application, database,? container, and infrastructure security.
• ˽·¿¾ãÀÖ²¿'s customers are responsible for the proper use of and security access configurations in the CMAP. Other responsibilities include but are not limited to user setup and management, user access reviews, data quality, data classification standards, third-party integration setup, and, as applicable, the single sign-on (SSO) setup.

Principle 1: Provision and Manage Users with the Principle of Least Privilege

• The security principle of "least privilege" is utilized across all ˽·¿¾ãÀÖ²¿ systems. Access to platform code and data depends on the resource¡¯s role, and production access by employees is particularly controlled and restricted.
• ˽·¿¾ãÀÖ²¿ utilizes Privileged Access Management (PAM) to manage and audit access to production infrastructure. Using PAM, developers must request access to a production system and the request must be approved by ˽·¿¾ãÀÖ²¿¡¯s Engineering leadership. Once access is granted, the access duration is limited to a specific duration and activity logs are available for later review.
• ˽·¿¾ãÀÖ²¿ reviews ˽·¿¾ãÀÖ²¿ personnel access to all? systems at least quarterly.
• Customers are responsible for reviewing access to their ˽·¿¾ãÀÖ²¿ account following their own access review policies and procedures. ˽·¿¾ãÀÖ²¿ employees with direct access to customer accounts are always shown in ˽·¿¾ãÀÖ²¿ User Manager screen, so customers have a full view of all users with access to their data.

Principle 2: Architect and Develop for Security and Privacy

Architecture

• The ˽·¿¾ãÀÖ²¿ CMAP consists of a multi-tier, multi-tenant SaaS application hosted in AWS and is architected into four distinct tiers or layers: the highly protected database tier, API tier, front-end tier, and web browser (which is managed by the customer).?
• Web application firewalls, security groups, access control lists, and other security detection and control mechanisms are deployed between layers to provide multiple layers of protection between the internet and database tier.?

Authentication

• ˽·¿¾ãÀÖ²¿ supports identity provider (IdP) initiated SSO via the SAML protocol with IdPs such as Okta, Microsoft, and Ping.
• If SSO is not utilized, ˽·¿¾ãÀÖ²¿ uses password-less authentication and emails one-time access codes to users during user authentication. ˽·¿¾ãÀÖ²¿ does lock accounts after 5 failed login attempts. ˽·¿¾ãÀÖ²¿ also allows customers to enable multi-factor authentication and IP allow listings.

Data Storage and Backup

• ˽·¿¾ãÀÖ²¿'s multi-tenant architecture concurrently stores data in AWS US-East 2 (Ohio), EU-West 1 (Ireland), and AP-Northeast 1 (Tokyo).
• Data within the ˽·¿¾ãÀÖ²¿ Platform is backed up continuously and can be restored to any point in the last 72 hours.?
• Additionally, backups are taken each day and maintained for at least a year.?
• Backups will always be encrypted using Advanced Encryption Standard (AES) 256-bit encryption and are stored in secure, geographically dispersed AWS S3 buckets.

Encryption

• ˽·¿¾ãÀÖ²¿ utilizes encryption at rest using Advanced Encryption Standard (AES) 256 and encryption in transit via TLS 1.2 or above. ˽·¿¾ãÀÖ²¿ also utilizes Perfect Forward Secrecy (PFS) ciphers for data transmission outside the CMAP.
• ˽·¿¾ãÀÖ²¿'s multi-tenant architecture utilizes AWS managed encryption keys.

Monitoring & Logging

• ˽·¿¾ãÀÖ²¿ maintains monitoring and logging for each level of the platform's architecture, including databases, containers, load balancers, firewalls, and other application components.
• ˽·¿¾ãÀÖ²¿ maintains all log information for at least one year for security reviews.
• If a security event is identified to be a threat, ˽·¿¾ãÀÖ²¿ Engineering and Information Security teams are notified immediately to triage, classify, contain, and remediate the security event or incident, including details such as the time of the event and impact to the platform.

Physical Security

• ˽·¿¾ãÀÖ²¿ is hosted in Amazon Web Services (AWS), and AWS data centers maintain several physical security controls to protect ˽·¿¾ãÀÖ²¿ and customer data. ˽·¿¾ãÀÖ²¿ reviews and validates AWS security controls at least annually to affirm they are operating effectively. Please navigate the page for further information on its data center controls.?

Secure Software Development Lifecycle (SDLC)

• ˽·¿¾ãÀÖ²¿ implements automated and manual review processes to ensure quality and security assurance in our software development processes starting from product design and feature creation through deployment to production.
• Static Application Security Testing (SAST) of the platform's containers, software packages, and code is conducted with each software build.

Vulnerability Management

Network & System Hardening Standards

• ˽·¿¾ãÀÖ²¿ implements its application infrastructure and network configurations with guidance from industry-leading security standards such as NIST Cybersecurity and CIS Level 2 frameworks.
• ˽·¿¾ãÀÖ²¿ maintains and executes security baseline requirements for each layer of the platform architecture.

Principle 3: Train and Educate on Security Repeatedly

• All ˽·¿¾ãÀÖ²¿ employees and contractors undergo security awareness and data privacy training upon hire and annually thereafter.
• All ˽·¿¾ãÀÖ²¿ employees and contractors undergo criminal background checks before starting at ˽·¿¾ãÀÖ²¿.
• All ˽·¿¾ãÀÖ²¿ Engineering personnel undergo secure development + OWASP 10 training upon hire and annually thereafter.
• Informal security awareness training is conducted every two weeks during ˽·¿¾ãÀÖ²¿ all company meetings.

Principle 4: Align and Comply with Industry Security & Privacy Standards?

Security Compliance

Privacy Compliance

• ˽·¿¾ãÀÖ²¿ is prepared to comply with obligations applicable to it according to global data protection laws, including GDPR and CCPA. Please see our Privacy Policy for further information on your data privacy rights and how we comply with these regulations.
• Since Personally Identifiable Information (PII) is not required for carbon accounting calculations, ˽·¿¾ãÀÖ²¿ stores and processes very limited PII. Only users¡¯ first name, last name, business email address, and IP address are stored in order to support authentication, logging, and audit requirements.
• Further to the shared data security responsibility principles, ˽·¿¾ãÀÖ²¿ specifically requests that customers do not upload other PII to the CMAP.