At Karbon, we understand the importance of protecting your data. It’s a big deal. It is especially important for Karbon customers. As accounting and business professionals, they are responsible for ensuring that the sensitive, confidential, and personal information they collect is handled with care and protected from unauthorized access, disclosure, manipulation, or subject to data breach.
Our management team understands the importance of data security and data privacy responsibilities that are placed upon our users, the Karbon Community, so this article is designed to provide insight into our plans for privacy and compliance with the General Data Protection Regulation (GDPR).
There are many components to data privacy compliance with GDPR, including our responsibility to establish processes that meet data subject rights under these privacy regulations.
First, let’s revisit security for the Karbon Software-as-a-Service (SaaS) application, since one of the primary and fundamental components to GDPR compliance is how we safeguard (or protect) our users' data and limit exposure to data breaches.
Our SaaS application, the Karbon application, has successfully completed a SOC 2 Type 2 examination and received a SOC 2 Type 2 report from an independent CPA firm. This provides a professional opinion that we have implemented and operate appropriate internal controls (or processes) for security, availability, and confidentiality for the IT network of our Karbon application (named within our SOC report as “Karbon Work Management System”).
Our SOC 2 Type 2 report demonstrates that we have implemented appropriate security practices and safeguards for our data processing activities. The SOC 2 examination included working with auditors to evaluate the organization, technical, and procedural controls that we have implemented within our IT network to secure our users' data.
The examination includes inspection of security configurations and procedural documentation that supports our implementation of data security best practices technologically, organizationally and culturally.
We will be conducting our SOC 2 Type 2 examination annually to continue to demonstrate our security practices and our ability to implement appropriate safeguards for protecting our users' sensitive, confidential, and personal information.
You can request a copy of our General Use SOC 3 Report. If you are a Karbon customer, you can request a copy of our SOC 2 Type 2 report from our security overview page. This details all of the above-mentioned security practices for the Karbon application.
Data security and data privacy compliance is a significant project for most companies, including Karbon. It involves identifying the right people, systems, and processes that should exist within our company to ensure that we adhere to data security and privacy compliance requirements applicable to our organization.
Our company has recently completed our procedures to appropriately adhere to SOC 2 standards for data security; however, we are currently completing our procedures to ensure that we fully implement appropriate data privacy processes and adhere GDPR compliance.
Transparency is very important in our industry, and so is GDPR compliance, so we want to communicate our plans and timeline for Karbon’s full GDPR compliance implementation.
Currently, we have implemented several important pieces to our GDPR compliance program. These include the implementation of the following technologies, activities, or justifications supporting GDPR compliance within our company:
Our data processing activities are necessary for the performance of our service contracts with our Karbon customers, to which data subjects are an indirect party.
Accounting professionals using our Karbon application have entered into contracts to use our Karbon application in connection with the services they provide to their customers (which are often data controllers or data subjects). In connection with our customers' agreement to use our Karbon application, our application processes data subject information.
As mentioned, we have a SOC 2 Type 2 report that speaks to our security practices for protecting our customers' data. These security practices include the implementation of encryption and access controls technologies/ procedures to ensure we protect our data.
Karbon application users located within the EU utilize a version of our SaaS application that is operated by IT resources (i.e. computers and services) located within the EU, which means EU customer data remains within the EU during our data processing activities.
We have designated a DPO within our organization, and our DPO works closely with our Executive Management team (CEO, CTO, VPs, and Directors) to provide oversight and execution of Karbon’s risk management and data security and privacy practices, including GDPR compliance.
We have identified the appropriate supervisory authority to notify in the event of a data breach, which is a requirement for GDPR compliance.
A GDPR requirement for companies that operate outside of the EU, includes appointing a representative within an EU member state that can communicate with data protection authorities in the event of a data breach.
We also use Osano as our appointed representative within the EU:
Osano International Compliance Services Limited
25/28 North Wall Quay
Dublin 1, D01 H104
We are currently performing an information audit of our data processing and data privacy control activities to evaluate their operation and ensure our full compliance with GDPR standards.
This process includes the implementation of systems and procedures that will allow our team to have appropriate insight into our data processing activities and procedures for processing requests pertaining to data subject rights.
Although we do not expect our internal evaluation procedures to take an unreasonably long time to complete, we are asking for your patience as we perform the necessary due diligence required to ensure our compliance with GDPR regulatory standards.
Our expected completion date for our full GDPR compliance is October 2021.
We appreciate your patience and understanding as we work to improve our compliance and our service to our customers. If you have any questions that require immediate attention, please contact our customer support team or your sales representative and we will do our best to provide an answer to support your needs.
Chief Information Security Officer, Karbon
Christopher Johnson is the Owner and Managing Director of Johnson Risk Advisory Services and also acts as Karbon's CISO. He has over 8 years of experience including big four assisting companies with internal controls, information security, and data protection, and specializes in SOC examination services.