Karbon data privacy and GDPR compliance roadmap

At Karbon, we understand the importance of protecting your data. It’s a big deal. It is especially important for Karbon customers. As accounting and business professionals, they are responsible for ensuring that the sensitive, confidential, and personal information they collect is handled with care and protected from unauthorized access, disclosure, manipulation, or subject to data breach.

Our management team understands the importance of data security and data privacy responsibilities that are placed upon our users, the Karbon Community, so this article is designed to provide insight into our plans for privacy and compliance with the General Data Protection Regulation (GDPR).

Data security

There are many components to data privacy compliance with GDPR, including our responsibility to establish processes that meet data subject rights under these privacy regulations.

First, let’s revisit security for the Karbon Software-as-a-Service (SaaS) application, since one of the primary and fundamental components to GDPR compliance is how we safeguard (or protect) our users' data and limit exposure to data breaches.

Our SaaS application, the Karbon application, has successfully completed a SOC 2 Type 2 examination and received a SOC 2 Type 2 report from an independent CPA firm. This provides a professional opinion that we have implemented and operate appropriate internal controls (or processes) for security, availability, and confidentiality for the IT network of our Karbon application (named within our SOC report as “Karbon Work Management System”).

What is the importance of the SOC 2 Report?

Our SOC 2 Type 2 report demonstrates that we have implemented appropriate security practices and safeguards for our data processing activities. The SOC 2 examination included working with auditors to evaluate the organization, technical, and procedural controls that we have implemented within our IT network to secure our users' data.

The examination includes inspection of security configurations and procedural documentation that supports our implementation of data security best practices technologically, organizationally and culturally.

We will be conducting our SOC 2 Type 2 examination annually to continue to demonstrate our security practices and our ability to implement appropriate safeguards for protecting our users' sensitive, confidential, and personal information.

SOC 2 Type 2 Report

You can request a copy of our General Use SOC 3 Report. If you are a Karbon customer, you can request a copy of our SOC 2 Type 2 report from our security overview page. This details all of the above-mentioned security practices for the Karbon application.

Data privacy compliance and GDPR roadmap

Data security and data privacy compliance is a significant project for most companies, including Karbon. It involves identifying the right people, systems, and processes that should exist within our company to ensure that we adhere to data security and privacy compliance requirements applicable to our organization.

Our company has recently completed our procedures to appropriately adhere to SOC 2 standards for data security; however, we are currently completing our procedures to ensure that we fully implement appropriate data privacy processes and adhere GDPR compliance.

Transparency is very important in our industry, and so is GDPR compliance, so we want to communicate our plans and timeline for Karbon’s full GDPR compliance implementation.

Karbon’s current state of GDPR compliance

Currently, we have implemented several important pieces to our GDPR compliance program. These include the implementation of the following technologies, activities, or justifications supporting GDPR compliance within our company:

Documentation of our Privacy Policy (Notice)

We have published our Privacy Policy on our website to communicate our overall practices for the use of personal information that we collect and process during the performance of our services.

Documentation of our lawful basis for processing

Our data processing activities are necessary for the performance of our service contracts with our Karbon customers, to which data subjects are an indirect party.

Accounting professionals using our Karbon application have entered into contracts to use our Karbon application in connection with the services they provide to their customers (which are often data controllers or data subjects). In connection with our customers' agreement to use our Karbon application, our application processes data subject information.

Implementation of appropriate technical and organizational safeguards (security)

As mentioned, we have a SOC 2 Type 2 report that speaks to our security practices for protecting our customers' data. These security practices include the implementation of encryption and access controls technologies/ procedures to ensure we protect our data.

Implementation of a dedicated European (EU) data center

Karbon application users located within the EU utilize a version of our SaaS application that is operated by IT resources (i.e. computers and services) located within the EU, which means EU customer data remains within the EU during our data processing activities.

Designated individual responsible for GDPR compliance and a Data Protection Officer (DPO)

We have designated a DPO within our organization, and our DPO works closely with our Executive Management team (CEO, CTO, VPs, and Directors) to provide oversight and execution of Karbon’s risk management and data security and privacy practices, including GDPR compliance.

Established a process for notifying supervisory authorities and data subjects of data breaches

We have identified the appropriate supervisory authority to notify in the event of a data breach, which is a requirement for GDPR compliance.

Appoint a representative within a EU member state

A GDPR requirement for companies that operate outside of the EU, includes appointing a representative within an EU member state that can communicate with data protection authorities in the event of a data breach.

Our management team has engaged a privacy compliance vendor, Osano, to assist with the implementation and monitoring of our privacy compliance program. Osano provides a privacy compliance platform that we utilize for cookie policy management and monitoring privacy law changes, monitoring third-party vendor policy changes, and several other privacy compliance-related activities.

We also use Osano as our appointed representative within the EU:

Osano International Compliance Services Limited
ATTN: 74QZ
25/28 North Wall Quay
Dublin 1, D01 H104
IRELAND

GDPR information audit

We are currently performing an information audit of our data processing and data privacy control activities to evaluate their operation and ensure our full compliance with GDPR standards.

This process includes the implementation of systems and procedures that will allow our team to have appropriate insight into our data processing activities and procedures for processing requests pertaining to data subject rights.

Although we do not expect our internal evaluation procedures to take an unreasonably long time to complete, we are asking for your patience as we perform the necessary due diligence required to ensure our compliance with GDPR regulatory standards.

We appreciate your patience and understanding as we work to improve our compliance and our service to our customers. If you have any questions that require immediate attention, please contact our customer support team or your sales representative and we will do our best to provide an answer to support your needs.