Skip to content

Security

Last update / effective date: January 13, 2026

Organizational Security

Security Principles

Carbonfact applies a risk-based approach to security, aligned with GDPR Article 32. Data protection is a shared responsibility between Carbonfact (as processor), its sub-processors, and its customers. Security measures are continuously reviewed to ensure proportionality to risk.

Risk Management and Compliance

  • Carbonfact employs a risk-driven security strategy guided by SOC 2 Type II controls. This enables a dynamic security posture that aligns with actual threats and business impact .
  • The security measures and practices undergo annual risk assessments and continuous improvements based on evolving threats .

Employee Awareness and Training

  • All employees undergo security and privacy training via the Vanta platform during onboarding and on a periodic basis thereafter .
  • Employees are required to adhere to documented Security and Privacy Guidelines, with access restricted to those with a legitimate business need .

Technical Security Measures

Hosting and Infrastructure

  • All core components are hosted on Google Cloud Platform (GCP), Vercel, and protected via Cloudflare. These providers comply with ISO 22301:2019 and other relevant standards.
  • Infrastructure benefits from multi-zone geographical redundancy and automatic failover configurations to ensure availability.

Physical Security

  • Carbonfact personnel have no physical access to customer data hosting environments.
  • Security relies on Google Cloud Platform and other providers’ ISO 27001 and SOC 2-certified facilities, which implement advanced access controls, surveillance, and redundancy.

Data Encryption

  • In transit: All data is encrypted using TLS 1.2 or higher .
  • At rest: All data stored in databases is encrypted using AES-256 .

Authentication and Access Controls

  • Authentication is managed via Auth0, supporting SSO and MFA (on customer demand).
  • Access control is enforced through least privilege principles, regular access audits, and account revocation within one business day of termination .

Backup and Data Recovery

Carbonfact maintains robust backup mechanisms as a foundational component of its operational resilience strategy:

  • Automated Backup Procedures: All critical data, including user identification and authentication records, is backed up daily using Google Cloud Platform (GCP) capabilities. These backups are automatically stored in geographically distributed locations within the EU to enhance data durability and regional redundancy .
  • Retention Policy: Backup data is retained for up to one year, aligning with disaster recovery and compliance requirements. This ensures sufficient recovery points are available for data restoration in cases such as accidental deletion or system corruption .
  • Recovery Mechanisms: GCP’s infrastructure includes built-in automatic regional failover and synchronous replication to minimize downtime and facilitate rapid recovery during infrastructure disruptions .
  • Integration with Disaster Recovery Plan: Backup and restoration processes are incorporated into Carbonfact’s Disaster Recovery Plan, which includes regular reviews and post-incident analyses to strengthen future resilience and procedural effectiveness

Secure Development Practices

SDLC and Change Management
  • Follows a Continuous Delivery model with rigorous CI/CD pipelines that include pull requests, automated testing, and review processes .
  • Development, preview, and production environments are strictly separated .
Code and Vulnerability Management

  • We have external penetration testing performed on a yearly basis.

  • We utilize Aikido.dev and GitHub Dependabot for static code analysis, vulnerability scanning, and dependency monitoring.

  • Vulnerability remediation SLAs

    • Critical: 2 business days.
    • High: 5 business days.
    • Moderate: 30 business days.
    • Low: 90 business days.

Operational Resilience

Incident Management
  • A documented Incident Response Plan, reviewed annually, guides the response to security events.
  • Monitoring is performed using GCP tools, Cloudflare, and Sentry for real-time detection and alerting.
Breach Notification
  • In the event of a personal data breach, Carbonfact will notify affected customers without undue delay, in line with GDPR Articles 33 and 34.
  • Notifications include the nature of the breach, potential impacts, and remediation measures.
Disaster Recovery and Business Continuity
  • DR plans account for infrastructure failures, human errors, and are supported by high-availability cloud configurations and vendor partnerships .

Data Privacy and Confidentiality

GDPR Compliance
  • Carbonfact designs its platform to collect and process minimal personal data (e.g., email, name, IP address, session logs) for its operation, support, and product improvement.
  • Onward data transfers are restricted to vetted sub-processors with GDPR-compliant agreements.
  • Carbonfact has appointed Dipeeo as its external Data Protection Officer (DPO), who is registered with CNIL, the French GDPR supervisory authority.
Data Subject Rights
  • Carbonfact provides a dedicated channel for handling data subject requests (access, rectification, deletion, portability, restriction).
  • All requests are addressed within the GDPR-mandated timeframe of 30 days, with appropriate verification of the requester’s identity.
Confidentiality Obligations
  • Confidential Information is protected by contractual commitments, ensuring no unauthorized use or disclosure beyond the defined purpose .
Internal Audits
  • Carbonfact performs periodic internal reviews and audits of its security controls to ensure ongoing compliance with SOC 2 requirements and GDPR expectations. Findings are tracked and remediated through the continuous improvement cycle.

Monitoring and Auditability

Logging

API Request Logs

  • All API calls are recorded with the calling user’s JWT subject, endpoint invoked, request payload size, response status, and latency.
  • API errors (4xx/5xx) generate high-severity events, triggering automated alerts.

Data-Change History

For any write operation on critical data (e.g., footprint results, configuration), a discrete audit record is created in a “change history” schema, capturing before-and-after values and the acting user.

System & Security Logs

  • Infrastructure: OS-level logs (auth, sudo, kernel events) and network logs (Cloudflare WAF, VPC flow logs).
  • Application: Sentry error and performance events.
  • Authentication: Auth0 login success/failure events, MFA challenges.

User Activity Monitoring

User interactions in the UI are monitored (page views, button clicks, configuration changes) and used for Product performance analysis.

Tools and Integration
  • Alerting — Custom alerts and dashboards built on Sentry, Cloudflare and Cloud Logging, with automated notification via Slack and emails.
  • Cloud Monitoring & Logging (GCP) — API and administration logs are managed with GCP Cloud Logging, with retention and access controls configured per project.
  • Cloudflare — Monitors API endpoint availability and performance.
  • Posthog — Captures anonymized clickstream and session replay data for UX and misuse analysis.
  • Sentry APM — Tracks application errors, performance regressions, and release health.

Third Party Risk Management

  • We review all our sub-processors / sub-contractors and third-party service providers with a risk-based due diligence process. This includes security assessments prior to engagement.
  • We maintain a register of sub-processors / sub-contractors and monitor their compliance through periodic reviews and audits where applicable.
  • All sub-processors are bound by GDPR-compliant Data Processing Agreements (DPAs) that impose equivalent Technical and Organisational Measures (TOMs) and confidentiality obligations.

Sub-Processors

Last edited on: January 13, 2026.
Added details on Processed Personal Data when applicable. 

Carbonfact Platform &
Carbonfact for Suppliers

Subscribe here to receive updates when we add or change a sub-processor for Carbonfact Platform & Carbonfact for Suppliers.

Core Sub-Processors

These sub-processors process customer data and personal data on behalf of Carbonfact, where Carbonfact acts as a Data Processor for its customers.


Auth0
  • Purpose: Enables secure login, signup, and session management for customer users and internal admins.
  • Description of Data Processing: Identity and access management service hosted in EU; processes user identity data (first, last names, email address, role/position), credentials, tokens, and authentication metadata.
  • Processed Personal Data:
    • Email addresses
    • Names (first and last)
    • Password hashes
    • User IDs
    • IP addresses
    • Login timestamps and session data
    • Authentication tokens and metadata
  • Company: Auth0, Inc
  • Headquarter Address: 10800 North East 8th Street Suite 600 Bellevue, WA 98004 United States
  • Contact: privacy@okta.com (see https://www.okta.com/legal/privacy-policy/ for more details)
Cloudflare
  • Purpose: Provides security services (incl. WAF and DDoS mitigation), performance optimization, and TLS termination for all customer-facing web services.
  • Description of Data Processing: Global content-delivery and security network operating from edge data centers worldwide; processes IP and request metadata for caching and protection.
  • Processed Personal Data:
    • IP addresses
    • User agent strings
    • HTTP request metadata (headers, cookies)
    • Request timestamps
    • Geographic location data (derived from IP)
  • Company: Cloudflare, Inc.
  • Headquarter Address: 101 Townsend St, San Francisco, CA 94107 USA
  • Contact: Data Protection Officer, dpo@cloudflare.com
Couchdrop
  • Purpose: Facilitates secure import/export of bulk data between Carbonfact and customer systems.
  • Conditions of use: Optional, only if SFTP is used for data integration and file transfers.
  • Description of Data Processing: Managed SFTP gateway hosted in secure cloud infrastructure; processes file transfer metadata and encrypted payloads. (Note: customer data is only transferred, and then stored in our GCP Infrastructure).
  • Processed Personal Data:
    • Usernames
    • IP addresses
    • File transfer metadata (timestamps, file names)
    • Connection logs
    • Authentication credentials
  • Company: Couchdrop Limited
  • Headquarter Address: 46 Bengal Drive, Christchurch, 8022, New Zealand
  • Contact: Data Protection Officer, security@couchdrop.io
GitHub
  • Purpose: Orchestrates and executes data processing jobs, including customer data processing workflows and database migrations.
  • Description of Data Processing: Cloud-based CI/CD platform that runs automated workflows (GitHub Actions) for data processing, transformation, and database operations. Processes customer data transiently during job execution but does not persistently store any customer data. All data remains in secure ephemeral runtime environments.
  • Processed Personal Data:
    • Any personal data included in processing pipelines (transient only)
  • Company: GitHub B.V., Prins Bernhardplein 200, 1097JB Amsterdam, The Netherlands.
  • Parent Company: GitHub, Inc., 88 Colin P. Kelly Jr. St., San Francisco, CA 94107, United States.
  • Headquarter Address: 88 Colin P Kelly Jr St, San Francisco, CA 94107, United States
  • Contact: privacy@github.com, GitHub Privacy Statement
Google Cloud Platform (GCP)
  • Purpose: Primary hosting and data persistence layer for production systems.
  • Description of Data Processing: Cloud infrastructure and storage provider hosting the main application and databases within EU data centers (Frankfurt region).
  • Processed Personal Data:
    • All end-user data stored in the application (names, email addresses, user profiles)
    • User credentials and authentication data
    • Application usage data and logs
    • User-generated content and configurations
    • IP addresses and session information
    • Any other personal data processed by Carbonfact's platform
HubSpot
  • Purpose: Used for sales, marketing, and customer relationship management activities.
  • Description of Data Processing: SaaS CRM platform hosted in the US; processes contact details, communication logs, and marketing event data.
  • Processed Personal Data:
    • Names (first and last)
    • Email addresses
    • Phone numbers
    • Company names and job titles
    • Communication logs (emails, calls, meeting notes)
    • Marketing interaction data (email opens, clicks, form submissions)
    • Website visit data and behavioral tracking
  • Company: HubSpot, Inc.
  • Headquarter Address: 2 Canal Park, Cambridge, MA 02141, United States
  • Contact: Privacy request form
Jimo
  • Purpose: Used to display in-app announcements, collect feedback, and manage feature communication.
  • Description of Data Processing: SaaS tool hosted in the EU; processes in-app usage and engagement data via SDK.
  • Processed Personal Data:
    • User IDs
    • Email addresses
    • In-app interaction data (clicks, views, feedback submissions)
    • Feature usage patterns
    • User preferences and settings
  • Company: Jimo
  • Headquarter Address: 11 rue de la pleiade, 94230 Cachan, France
  • Contact: support@usejimo.com
PostHog
  • Purpose: Used to analyze product usage and improve UX through aggregated behavioral insights.
  • Description of Data Processing: Product analytics platform hosted in the EU; processes event and usage data.
  • Company: PostHog, Inc.
  • Processed Personal Data:
    • User IDs
    • Session data and recordings
    • Event tracking data (page views, clicks, actions)
    • IP addresses
    • Device and browser information
  • Headquarter Address: 2261 Market Street Suite 4008, San Francisco, CA 94114, USA
  • Contact: privacy@posthog.com
Postmark
  • Purpose: Sends transactional emails such as password resets, confirmations, and notifications.
  • Description of Data Processing: Email delivery service hosted in US data centers; processes recipient addresses, message content, and delivery logs.
  • Processed Personal Data:
    • Email addresses (recipients)
    • Names (when included in emails)
    • Email content (transactional messages)
    • Delivery logs and timestamps
    • Email engagement data (opens, bounces)
  • Company: ActiveCampaign, LLC
  • Headquarter Address: 1 N Dearborn St, Suite 500 Chicago, IL 60602 United States
  • Contact: privacy@activecampaign.com
Sentry
  • Purpose: Monitors application stability and assists in debugging and incident resolution.
  • Description of Data Processing: Error tracking and performance monitoring platform; processes stack traces and runtime metadata, hosted in the EU.
  • Processed Personal Data:
    • User IDs and email addresses
    • IP addresses
    • Error logs and stack traces
    • Performance metrics and transaction data
    • Browser/device information
    • Session metadata
  • Company: Sentry, Inc.
  • Headquarter Address: 45 Fremont St, 8th Floor, San Francisco, CA 94105
  • Contact: compliance@sentry.io
Vercel
  • Purpose: Hosts and delivers the web application frontend and static assets to end users.
  • Description of Data Processing: Global edge hosting and deployment platform; serves frontend assets and serverless functions from distributed regions (EU and global).
  • Processed Personal Data:
    • IP addresses
    • HTTP request metadata
    • Session cookies
    • User agent strings
    • Access logs and timestamps
  • Company: Vercel Inc.
  • Headquarter Address: 440 N Barranca Avenue #4133 Covina, CA 91723 United States
  • Contact: privacy@vercel.com

Optional Sub-Processors for AI Features

These sub-processors are engaged solely for the provision of specific features and workflows that utilize Generative Artificial Intelligence, Large Language Models (LLMs), or comparable technologies. Customer organizations retain full discretion to opt out of these features entirely or to exclude specific sub-processors from their processing activities.

When engaged, these sub-processors process data on behalf of Carbonfact in its capacity as Data Processor for its customers.

Important Note: These sub-processors are not designed or intended for the processing of personal data. However, given their deployment in user-interactive functionalities (such as conversational interfaces or collaborative tools), end users may inadvertently or voluntarily input personal information. Customers are advised to implement appropriate safeguards and user guidelines to minimize such risks.

Anthropic
  • Purpose: Used to support natural-language reasoning and content generation features in the platform.
  • Description of Data Processing: Provides AI model inference through managed API services; data processed transiently within Anthropic's secure cloud environment (US-based).
  • Company: Anthropic PBC
  • Headquarter Address: 548 Market Street, PMB 90375, San Francisco, CA 94104
  • Contact: privacy@anthropic.com, Data Protection Officer (dpo@anthropic.com)
OpenAI
  • Purpose: Supports AI-powered text analysis, summarization, and content assistance features.
  • Description of Data Processing: Provides AI model inference through API access; processes text prompts and responses transiently within secure cloud environments (US-based).
  • Company: OpenAI Ireland Limited
  • Headquarter Address: 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
  • Contact: Support contact

 

Carbonfact Processors

These sub-processors are used for Carbonfact's internal operations, where Carbonfact acts as a Data Controller. They process data related to Carbonfact's operational activities, which may include customer metadata such as project management information, analysis results, quality reviews, statistics, metrics, and other aggregated or derived data necessary for service delivery, customer support, and operational excellence. 

Anthropic
  • Purpose: Used to support natural-language reasoning and content generation features in the platform.
  • Description of Data Processing: Provides AI model inference through managed API services; data processed transiently within Anthropic's secure cloud environment (US-based).
  • Company: Anthropic PBC
  • Headquarter Address: 548 Market Street, PMB 90375, San Francisco, CA 94104
  • Contact: privacy@anthropic.com, Data Protection Officer (dpo@anthropic.com)
Asana
  • Purpose: Internal project management, task tracking, and workflow coordination.
  • Description of Data Processing: Cloud-based project management platform; processes internal project plans, task assignments, customer project metadata, delivery timelines, and operational coordination data.
  • Company: Asana, Inc.
  • Headquarter Address: 633 Folsom Street, Suite 100, San Francisco, CA 94107, United States
  • Contact: privacy@asana.com, Privacy Policy
Front
  • Purpose: Internal customer communication management, shared inbox, and customer support coordination.
  • Description of Data Processing: Cloud-based communication platform; processes customer emails, support conversations, internal team comments, customer contact information, and support ticket metadata for managing customer communications and support operations.
  • Company: Front App, Inc.
  • Headquarter Address: 85 2nd Street, San Francisco, CA 94105, United States
  • Contact: privacy@front.com, Privacy Policy
GitHub
  • Purpose: Internal source code repository, version control, documentation, and development collaboration.
  • Description of Data Processing: Cloud-based development platform; hosts internal source code, technical documentation, issue tracking, and development workflows that may reference customer requirements, project specifications, and operational procedures.
  • Company: GitHub B.V., Prins Bernhardplein 200, 1097JB Amsterdam, The Netherlands.
  • Parent Company: GitHub, Inc., 88 Colin P. Kelly Jr. St., San Francisco, CA 94107, United States.
  • Headquarter Address: 88 Colin P Kelly Jr St, San Francisco, CA 94107, United States
  • Contact: privacy@github.com, GitHub Privacy Statement
Google Cloud Platform (GCP)
  • Purpose: Internal infrastructure, data storage, and operational tools (beyond customer-facing production systems).
  • Description of Data Processing: Cloud infrastructure used for internal analytics, testing environments, operational databases, and internal tool hosting; processes customer metadata, operational metrics, and internal business data.
  • Company: Google Cloud France
  • Headquarter Address: 8 RUE DE LONDRES 75009 PARIS, France
  • Contact: Security contact, Privacy support page
Google Workspace
  • Purpose: Internal communication, document management, and productivity tools (email, calendar, drive, docs, sheets, etc.).
  • Description of Data Processing: Cloud-based productivity suite hosted in Google's data centers; processes employee emails, documents, calendars, and internal communications.
  • Company: Google LLC
  • Headquarter Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
  • Contact: Privacy support page
HubSpot
  • Purpose: Internal customer relationship management, sales operations, and marketing activities.
  • Description of Data Processing: CRM platform processing customer organization contact details, sales interactions, support tickets, and business development data for Carbonfact's internal sales and customer success operations.
  • Company: HubSpot, Inc.
  • Headquarter Address: 2 Canal Park, Cambridge, MA 02141, United States
  • Contact: Privacy request form
Notion
  • Purpose: Internal knowledge management, documentation, and team collaboration.
  • Description of Data Processing: Cloud-based workspace platform; processes internal documents, notes, wikis, and project management data related to Carbonfact's operations.
  • Company: Notion Labs, Inc.
  • Headquarter Address: 500 Howard Street, San Francisco, CA 94105, United States
  • Contact: team@makenotion.com, Privacy support

n8n
  • Purpose: Internal workflow automation and integration platform.
  • Description of Data Processing: Cloud-based automation platform; processes internal workflow data, API integrations, and automated task execution for Carbonfact's operations.
  • Company: n8n GmbH
  • Headquarter Address: Borsigstraße 27, 10115 Berlin, Germany
  • Contact: security@n8n.io
Observable
  • Purpose: Internal data visualization, analysis, and collaborative notebooks for operational insights.
  • Description of Data Processing: Cloud-based data analysis and visualization platform; processes customer metadata, statistical analyses, quality metrics, and operational data for internal reporting and decision-making purposes.
  • Company: Observable, Inc.
  • Headquarter Address: 60 29th Street, Suite 343, San Francisco, CA 94110, United States
  • Contact: support@observablehq.com, Privacy Policy

OpenAI
  • Purpose: Supports AI-powered text analysis, summarization, and content assistance features.
  • Description of Data Processing: Provides AI model inference through API access; processes text prompts and responses transiently within secure cloud environments (US-based).
  • Company: OpenAI Ireland Limited
  • Headquarter Address: 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
  • Contact: Support contact
Praiz
  • Purpose: Internal conversation intelligence, call recording, sales coaching, and automated CRM data extraction.
  • Description of Data Processing: AI-powered conversation intelligence platform; records and transcribes sales calls and customer meetings, extracts insights and key information from conversations, analyzes call quality and performance, and processes customer conversation data for internal sales coaching, performance analysis, and operational insights.
  • Company: PRAIZ SAS
  • Headquarter Address: 9 Rue d'Anjou, 75008 Paris, France
  • Contact: support@praiz.io, Privacy Policy
Retool
  • Purpose: Internal tool development platform for building custom operational dashboards and administrative interfaces.
  • Description of Data Processing: Cloud-based application builder; processes customer metadata, project information, operational metrics, and support data for internal tooling and workflow management.
  • Company: Retool, Inc.
  • Headquarter Address: 1550 Bryant Street, Suite 826, San Francisco, CA 94103, United States
  • Contact: security@retool.com, Privacy Policy
Slack
  • Purpose: Internal team communication, collaboration, and operational coordination.
  • Description of Data Processing: Cloud-based messaging platform; processes internal communications, project discussions, customer support coordination, and operational information that may include customer metadata and project details.
  • Company: Slack Technologies, LLC (Salesforce, Inc.)
  • Headquarter Address: 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • Contact: privacy@slack.com, Privacy Policy

Stripe
  • Purpose: Payment processing, billing management, and subscription operations.
  • Description of Data Processing: Cloud-based payment platform; processes customer billing information, payment transactions, subscription data, invoice details, and financial records for Carbonfact's revenue operations and financial management.
  • Company: Stripe, Inc.
  • Headquarter Address: 354 Oyster Point Boulevard, South San Francisco, CA 94080, United States
  • Contact: privacy@stripe.com, Privacy Policy

 

Artificial Intelligence and Machine Learning

You can learn more about how we use AI and ML on AI & ML Usage.

 

Vulnerability Disclosure Program

You can find more information about how to safely disclosure security vulnerabilities on this page.

If you click on “Accept all” you agree to the use of these cookies. To find out more about the cookies we use, see our Privacy & Cookie Policy. Or, you can continue without agreeing .