Karbon achieves SOC 2 Type 1 certification

We embarked on this examination as part of our ongoing commitment to delivering the most robust, professional, and secure experience to our customers. The receipt of the SOC 2 Type 1 report comes after many months work and significant effort by the entire Karbon team.

Karbon — a service organization

System and Organization Controls (SOC) reports are designed to help companies that provide services to other organizations, service organizations, build trust and confidence in the services performed and controls related to these services through a report issued by an independent CPA. There are several types of SOC reports that can be issued by a CPA. The type of report needed by a service organization is determined by the management of the service organization and the needs of the users of the service.

Karbon is a service organization, so it is important for us to obtain a SOC report for our services and the systems and internal control processes we have implemented to address risks associated with providing our services and the use of your data.

Our management team has determined that a SOC 2 report is the appropriate report to communicate the effectiveness of our security processes, our methods of addressing risk, and protecting your information.

What is SOC 2 Type 1 Report?

There are several types of SOC reports that can be issued by a CPA for a service organization. In short, a SOC 2 report speaks to the effectiveness of internal controls (i.e. internal business system and/or processes) relevant to the Security, Availability, Confidentiality, Processing Integrity, or Privacy of a service organization. Further, a SOC 2 report can be issued as either a Type 1 report or a Type 2 report.

A SOC 2 Type 1 report speaks to the design of our internal control processes; whereas, a SOC 2 Type 2 report speaks to design and operation of our internal control processes.

Our management team has determined that a SOC 2 Type 1 report for internal controls relevant to Security, Availability, and Confidentiality is an appropriate report to initially communicate our information security and risk management processes regarding the Karbon platform.

We have engaged an independent CPA firm to perform an examination of our internal control processes, and we have received a SOC 2 Type 1 from this CPA firm to demonstrate that we have implemented controls to address risk and protect the information we collect and use to provide our services, in accordance with the trust services criteria set by the American Institute of Certified Public Accountants (AICPA).

For us at Karbon, successfully completing a SOC 2 Type 1 report shows that we are on track for establishing best practices in protecting your information.

This reports asserts that we have implemented the necessary systems and processes to facilitate meeting the security standards our customers expect when it comes to their data.

SOC 2 Type 2 Report

We are excited to have received the SOC 2 Type 1 report for our services, which demonstrates that we have designed and implemented controls to protect the Karbon platform and its data.

However, this is only the beginning of our efforts to demonstrate trust and confidence in our Karbon platform service offerings.

We are currently working diligently to ensure that the internal controls included within our SOC 2 Type 1 report are continuing to operate appropriately. This includes reviewing our internal control environment, collecting the necessary artifacts and information needed to demonstrate effective control operation to our SOC examiners, and engaging information technology and information security experts to assist with our IT and SOC compliance objectives.

We are expected to undergo another SOC 2 examination this year, which will result in the issuance of a SOC 2 Type 2 report. Our goal for SOC 2 certification is to provide you the assurance that we have all the right controls in place to protect your data and ensure the availability of our service.

Our customers can request and reference our SOC 2 Type 1 report to understand the design of the internal control processes that are expected to be included within the SOC 2 Type 2 report when it is issued.

To request a copy of the Karbon SOC 2 Type 1 Report, please contact us.

How we protect customer data

Protecting the confidentiality and privacy of our customer data is a non-negotiable aspect of our culture at Karbon. We consider information security and risk management to be a “necessary good”.

As a result, all Karbon employees contribute to the performance of information security procedures and practices required by management to enforce the protection of company information and assets, including your information.

We take a security-first approach towards the planning and execution of product development, quality assurance, network security, and operational support activities. We utilize leading technologies and industry best practices to maintain the security and availability of the Karbon platform and the confidentiality and integrity of everything stored within the platform.

Learn more about our security practices.

Our ongoing commitment to security

We are passionate about providing a safe and secure platform to manage your work, collaborate with your team, and work with your clients.

We are committed to providing the level of security expected from our customers and will continue to refine our control processes to adapt to the changes impacting our data protection objectives and customer needs.

Where to from here?

As we move through our SOC 2 Type 2 examination period, we are committed to sharing our experiences more broadly and demonstrate how we have utilized the Karbon platform to achieve our SOC attestation.

Sharing this experience is on our agenda and making available a considerable volume of IP in an Open Source arrangement is important to us as an organization.