Enterprise-grade Security

SOC 2 Type II

Karbon’s web application product is SOC 2 Type 2 certified. This certification is issued after an annual audit that thoroughly evaluates Karbon’s security practices. Receipt of the SOC 2 Type 2 certification confirms that Karbon has implemented the necessary policies, systems, and processes that comply with best practices for security, availability, confidentiality, and privacy, according to standards set by the American Institute of Certified Public Accountants (AICPA). Download the SOC 3 Report, or contact the team to request the SOC 2 Type 2 report.

ISO 27001

An Information Security Management System (ISMS) has been implemented in accordance with the requirements set out in ISO 27001. However, Karbon has not yet been independently certified as ISO 27001 compliant.

Privacy Policy

To ensure customers and system users are informed about Karbon’s practices concerning privacy, a public privacy notice (policy) has been published to communicate Karbon’s privacy practices and the use, and protection, of personally identifiable data (PII). Read the Karbon privacy policy.

GDPR and Global Privacy Laws

Karbon is committed to privacy and the protection of individual privacy rights for the entire global network of customers, product users, and stakeholders. To ensure the requirements of global privacy laws applicable to the business are met, policies and practices have been implemented to adhere to global privacy standards applicable to the business. Internal assessments have been conducted to ensure these requirements are being met, including self-assessment for GDPR compliance.

Encryption in Transit

The Karbon web application, including the Client Portal and Practice Intelligence features, use secure Transport Layer Security protocol to encrypt all data transmission activities between the web application and web application users. Implementing TLS to encrypt data transmissions protects the confidentiality of all data transmitted to the web application and helps to prevent data theft or manipulation by cyberattack.

Encryption at Rest

All data stored within the Karbon web application, and data backups, is encrypted at rest with AES-256 bit encryption to protect data confidentiality during storage. Implementing AES-256 bit encryption protects the confidentiality of stored data and helps to prevent unauthorized access and/or data theft or manipulation by cyberattack.

System Performance Monitoring

Technology solutions to monitor the performance of the web application products and the cloud computing environment used to operate them have been implemented. This includes the configuration of defined performance thresholds that alert the IT team of any issues with performance to ensure investigation and resolution for continued operation.

System and Services Recovery

Karbon has operational support staff available on call 24 hours a day, 7 days a week. In the event of an unscheduled outage, incident response and system recovery procedures are initiated to maintain continued business operations and system performance. Additionally, periodic testing to ensure that systems and data can be restored in the event of an outage or issue that requires restoration activities is performed.

Incident Management

Karbon’s incident management process ensures rapid response to security events that may affect the security, confidentiality, processing integrity, or availability of the Karbon web application, or any violations of data privacy law. Incident management procedures include the identification, containment, investigation, correction, and post-evaluation of incidents to maintain service commitments for security, confidentiality, availability, processing integrity, and privacy for customers and stakeholders.

Business Continuity and Disaster Recovery

In addition to incident management and service recovery procedures, established policies, procedures, and plans ensure continued operations in the event of a significant outage, security event, or disaster scenario impacting the business or web application network.

Data Hosting

Cloud computing products and services are utilized to operate and deliver the web application and evaluate the vendors of these products and services to ensure appropriate safeguards (security measures) are in place to protect the IT operation environment and the data processed within that environment. Service providers also implement best-in-class security practices to ensure the protection of information systems and data, prevent cyberattacks, and adhere to regulatory standards for security and privacy compliance.

Data Backups

Karbon data is stored in secured databases and file stores and data backups are performed regularly to ensure copies of data to support incident management, system or disaster recovery, and business continuity requirements are maintained. Data backups are also encrypted at rest with AES-256 bit encryption to ensure their protection and confidentiality during storage.

Additionally, periodic testing is performed to ensure backup data can be restored in the event of an outage or issue that requires restoration activities.

All customer information is stored using enterprise-grade cloud computers, secure data storage and highly scalable databases.

Email Authentication

Authentication to the platform is performed via an encrypted connection to the customer’s preferred Microsoft or Google email account.

Multi-Factor Authentication

Access to Karbon is connected to a user’s email account. Multi or two-factor authentication can be set for the user’s email account login.

User Authentication

All customers must be invited to join a Karbon tenant account and accept that invitation before they can access any account data. A selected authentication provider is recorded for the user and all future login attempts require authentication using the same provider.

Access Permissions

The Karbon web application is designed to allow customers the ability to manage user access within their tenant. The assignment of access permissions can provide restricted or unrestricted access to a customer’s tenant and tenant data. Customers are responsible for managing access to their web application tenant.

Administrative Data Access

Access to production databases is strictly controlled and only users with a need to access production data for customer support or problem resolution have access. On request, Karbon will securely delete a customer’s Karbon data.

Data Backups

Data backups are encrypted and sensitive data is encrypted/masked in the live database.

User Permissions

In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.

Identity and Authentication

All users with access to Karbon’s systems are required to use uniquely identifiable identities and secure authentication credentials (e.g., strong passwords, access tokens, etc.) to verify their identities for authorized access to the system and to ensure accountability of activities within the systems. Additionally, multi-factor authentication is required for gaining access to all systems processing confidential or sensitive information. These user authentication practices reduce the likelihood of an account compromise due to cyberthreats.

User Access Management

Access control activities have been implemented to ensure proper management of access to the web application and systems to operate the business and deliver the Karbon platform to customers. These access control procedures include evaluating access permissions when granted and periodically thereafter. They also include the timely removal of access when no longer needed and adherence to a “need to access” and “least privilege access” principles for user access, only granting a minimum level of access needed for a user within the environment.

No sensitive payment information is stored or seen by Karbon. Karbon Payments is powered by Stripe Connect, a PCI-DSS level 1 compliant service that provides the highest enterprise-grade security. As a PCI Service Provider Level 1, Stripe handles all compliance for processing payments.

Learn more at https://docs.stripe.com/security.

Secure Development Lifecycle

Security within the software development lifecycle process has been implemented to ensure that security and threats to security within the web application are considered. SDLC procedures include planning, static testing, dynamic testing, quality assurance testing, and rollback procedures to ensure that a structured and secured process for making safe and effective changes to the web application is followed.

Separate Environments

Testing and staging environments are logically separated from the web application’s production environment, and production data is never used to perform testing activities.

Vulnerability Management

System vulnerability assessments, penetration testing, and internal security controls have been implemented to identify security vulnerabilities and reduce the risk of exposure to common cyber attacks. These assessments and security practices assist with the continued evaluation and correction of identified vulnerabilities. In addition, the Vulnerability Disclosure Program enables the identification and proactive addressing of inbound security vulnerabilities provided by customers and the broader technical community.

System Patching

Security practices are in place that require evaluation of available software patches and updates and implementation of them to ensure systems are maintaining up-to-date security. The performance of system patching and updates reduces the likelihood that systems will include vulnerabilities that can be exploited by malicious actors and cyberthreats.

Conduct and Ethics

The Karbon team is held to high ethical and conduct standards to ensure a working environment that fosters integrity, ethical behavior, and maintenance of a high level of responsibility for security and confidentiality. These standards are communicated to team members via policies, procedures, and periodic training and communication activities.

Confidentiality Agreements

All Karbon employees, contractors, and vendors are required to sign a confidentiality agreement or non-disclosure agreement to ensure the assignment of responsibility for data confidentiality and data privacy.

Information Security Policies

A comprehensive set of security policies are established and communicated to all Karbon employees and contractors with access to Karbon information systems and resources. These policies reflect the objectives for Karbon’s information security and risk management strategy and serve as a point of reference for the team to implement best practices for security and data protection.

Security Awareness Training

All Karbon employees are required to complete security awareness training during their employment onboarding and annually thereafter. Security awareness training provides education on security best practices and awareness of common cyber threats and tactics that employees should be aware of to protect themselves from being victim to a cyberattack.

Enterprise Risk Assessment

The Karbon leadership team and risk management team conduct regular risk assessments activities and a formal enterprise risk assessment to evaluate risk presented to the organization, products, and operations. These assessments facilitate thought leadership and executive support for the strategy to achieve best-in-class security and privacy for Karbon’s web application and operations.

Third-Party Risk Assessment

In addition to enterprise risk assessment, periodic third-party vendor risk assessments are conducted to evaluate security practices of vendors. These risk assessment activities are also performed to ensure that vendors meet expected security and data privacy requirements and to evaluate the impact of their security practices on the Karbon operating environment.