Skip to content

Security

Last update / effective date: November 3, 2025

Organizational Security

Security Principles

Carbonfact applies a risk-based approach to security, aligned with GDPR Article 32. Data protection is a shared responsibility between Carbonfact (as processor), its sub-processors, and its customers. Security measures are continuously reviewed to ensure proportionality to risk.

Risk Management and Compliance

  • Carbonfact employs a risk-driven security strategy guided by SOC 2 Type II controls. This enables a dynamic security posture that aligns with actual threats and business impact .
  • The security measures and practices undergo annual risk assessments and continuous improvements based on evolving threats .

Employee Awareness and Training

  • All employees undergo security and privacy training via the Vanta platform during onboarding and on a periodic basis thereafter .
  • Employees are required to adhere to documented Security and Privacy Guidelines, with access restricted to those with a legitimate business need .

Technical Security Measures

Hosting and Infrastructure

  • All core components are hosted on Google Cloud Platform (GCP), Vercel, and protected via Cloudflare. These providers comply with ISO 22301:2019 and other relevant standards.
  • Infrastructure benefits from multi-zone geographical redundancy and automatic failover configurations to ensure availability.

Physical Security

  • Carbonfact personnel have no physical access to customer data hosting environments.
  • Security relies on Google Cloud Platform and other providers’ ISO 27001 and SOC 2-certified facilities, which implement advanced access controls, surveillance, and redundancy.

Data Encryption

  • In transit: All data is encrypted using TLS 1.2 or higher .
  • At rest: Personal data stored in databases is encrypted using AES-256 .

Authentication and Access Controls

  • Authentication is managed via Auth0, supporting SSO and MFA (on customer demand).
  • Access control is enforced through least privilege principles, regular access audits, and account revocation within one business day of termination .

Backup and Data Recovery

Carbonfact maintains robust backup mechanisms as a foundational component of its operational resilience strategy:

  • Automated Backup Procedures: All critical data, including user identification and authentication records, is backed up daily using Google Cloud Platform (GCP) capabilities. These backups are automatically stored in geographically distributed locations within the EU to enhance data durability and regional redundancy .
  • Retention Policy: Backup data is retained for up to one year, aligning with disaster recovery and compliance requirements. This ensures sufficient recovery points are available for data restoration in cases such as accidental deletion or system corruption .
  • Recovery Mechanisms: GCP’s infrastructure includes built-in automatic regional failover and synchronous replication to minimize downtime and facilitate rapid recovery during infrastructure disruptions .
  • Integration with Disaster Recovery Plan: Backup and restoration processes are incorporated into Carbonfact’s Disaster Recovery Plan, which includes regular reviews and post-incident analyses to strengthen future resilience and procedural effectiveness

Secure Development Practices

SDLC and Change Management

  • Follows a Continuous Delivery model with rigorous CI/CD pipelines that include pull requests, automated testing, and review processes .
  • Development, preview, and production environments are strictly separated .

Code and Vulnerability Management

  • We have external penetration testing performed on a yearly basis.

  • We utilize Aikido.dev and GitHub Dependabot for static code analysis, vulnerability scanning, and dependency monitoring.

  • Vulnerability remediation SLAs

    • Critical: 2 business days.
    • High: 5 business days.
    • Moderate: 30 business days.
    • Low: 90 business days.

Operational Resilience

Incident Management

  • A documented Incident Response Plan, reviewed annually, guides the response to security events.
  • Monitoring is performed using GCP tools, Cloudflare, and Sentry for real-time detection and alerting.

Breach Notification

  • In the event of a personal data breach, Carbonfact will notify affected customers without undue delay, in line with GDPR Articles 33 and 34.
  • Notifications include the nature of the breach, potential impacts, and remediation measures.

Disaster Recovery and Business Continuity

  • DR plans account for infrastructure failures, human errors, and are supported by high-availability cloud configurations and vendor partnerships .

Data Privacy and Confidentiality

GDPR Compliance

  • Carbonfact designs its platform to collect and process minimal personal data (e.g., email, name, IP address, session logs) for its operation, support, and product improvement.
  • Onward data transfers are restricted to vetted sub-processors with GDPR-compliant agreements.
  • Carbonfact has appointed Dipeeo as its external Data Protection Officer (DPO), who is registered with CNIL, the French GDPR supervisory authority.

Data Subject Rights

  • Carbonfact provides a dedicated channel for handling data subject requests (access, rectification, deletion, portability, restriction).
  • All requests are addressed within the GDPR-mandated timeframe of 30 days, with appropriate verification of the requester’s identity.

Confidentiality Obligations

  • Confidential Information is protected by contractual commitments, ensuring no unauthorized use or disclosure beyond the defined purpose .

Internal Audits

  • Carbonfact performs periodic internal reviews and audits of its security controls to ensure ongoing compliance with SOC 2 requirements and GDPR expectations. Findings are tracked and remediated through the continuous improvement cycle.

Monitoring and Auditability

Logging

API Request Logs

  • All API calls are recorded with the calling user’s JWT subject, endpoint invoked, request payload size, response status, and latency.
  • API errors (4xx/5xx) generate high-severity events, triggering automated alerts.

Data-Change History

For any write operation on critical data (e.g., footprint results, configuration), a discrete audit record is created in a “change history” schema, capturing before-and-after values and the acting user.

System & Security Logs

  • Infrastructure: OS-level logs (auth, sudo, kernel events) and network logs (Cloudflare WAF, VPC flow logs).
  • Application: Sentry error and performance events.
  • Authentication: Auth0 login success/failure events, MFA challenges.

User Activity Monitoring

User interactions in the UI are monitored (page views, button clicks, configuration changes) and used for Product performance analysis.

Tools and Integration

  • Alerting — Custom alerts and dashboards built on Sentry, Cloudflare and Cloud Logging, with automated notification via Slack and emails.
  • Cloud Monitoring & Logging (GCP) — API and administration logs are managed with GCP Cloud Logging, with retention and access controls configured per project.
  • Cloudflare — Monitors API endpoint availability and performance.
  • Posthog — Captures anonymized clickstream and session replay data for UX and misuse analysis.
  • Sentry APM — Tracks application errors, performance regressions, and release health.

Third Party Risk Management

  • We review all our sub-processors / sub-contractors and third-party service providers with a risk-based due diligence process. This includes security assessments prior to engagement.
  • We maintain a register of sub-processors / sub-contractors and monitor their compliance through periodic reviews and audits where applicable.
  • All sub-processors are bound by GDPR-compliant Data Processing Agreements (DPAs) that impose equivalent Technical and Organisational Measures (TOMs) and confidentiality obligations.

If you click on “Accept all” you agree to the use of these cookies. To find out more about the cookies we use, see our Privacy & Cookie Policy. Or, you can continue without agreeing .